Accounts management events include the creation, deletion, and modification of an account, as well as renaming, disabling, and enabling an account, and the setting or changing of a password.
You can use Group Policy to specify whether to audit all activity, or just successes, or just failures.
To enable account management auditing:
1. In the Group Policy Editor, navigate to
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
2. in Audit account management, check the Define these policy settings box.
3. Check the Success and / or Failure boxes.
4. Press Apply and OK.
NOTE: If you subsequently want to disable auditing, clear the Success and Failure boxes.