There is a probe for monitoring Active Directory events - adevl. Supposedly, it does the same event log monitoring that the ntevl probe does, but with special things in it for Active Directory. HOWEVER... the AD probe does not seem to get updated with the same frequency that the ntevl probe does and it suffers from lagging behind. As a result, I have taken the things I care about in AD and just added them to my ntevl probe. This works every time where my results with the AD probe have been... unreliable.
Here is a list of event codes for user management in AD. I think the one you want would be 4725.
User Account Management
The following table document lists the event IDs of the user account management category.
Event ID | Reason |
4720 | A user account was created. |
4722 | A user account was enabled. |
4723 | An attempt was made to change an account's password. |
4724 | An attempt was made to reset an accounts password. |
4725 | A user account was disabled. |
4726 | A user account was deleted. |
4738 | A user account was changed. |
4740 | A user account was locked out. |
4767 | A user account was unlocked. |
4780 | The ACL was set on accounts which are members of administrators groups. |
4781 | The name of an account was changed. |
4794 | An attempt was made to set the Directory Services Restore Mode administrator password |
5376 | Credential Manager credentials were backed up. |
5377 | Credential Manager credentials were restored from a backup. |
HTH,
Chris