Adonio, where in the response the account type? I see that I can get the account name, account domain and security id for both account creator and account created, but no account type can be found. Thanks for replying.

to understand better, you are looking for changes or new accounts that has "Administrator" privileges. these accounts might be created by anyone that has permissions to create accounts. is that a true statement?

I think that my lack of knowledge on the flow of events related to account creation on a windows server did not allow me to ask the correct question. After some research I believe that there is one event for new account created and another event for adding that account to the "Administrators" group.
Initially I thought that I could retrieve that information from the account creation Event logs - EventCode=4720.
At this point I am looking for newly created accounts that have Administrator privileges. No matter if it was created by someone with permission to or not - I am assuming it will only be created by accounts with permission to do so. I am no longer worried about the enabling of accounts.
I have found a way to do so.
Below is my comment to the previous answer,

"Since I could not find a way to retrieve the account type, I am currently just retrieving new accounts created and also retrieving EventCode=636(Security Enabled Local Group Member Added) and EventCode=4732 (A member was added to a security-enabled local group).

These events will tell me what groups the created users were added to.
Since I am writing c# code I can retrieve only the users that were added to the Administrators group.

Current search query,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4732 OR EventCode=624 OR EventCode=636 ) AND Account_Name=Administrator"

Thank you.

beautiful,
if you are happy with your solution, please post as an answer and mark as accepted. or accept another answer here to close the question
have a great weekend

I had not.
Since I can see the returned data, I can see that for the "Account Name" name the value is always Administrator.
Also have a feeling that the correct operator would be "!=" and not the "NOT".
There is no "Standard User" value in the data retrieved for the standard user created, therefore I can't filter for that. At least not for the value "Account_Name" but I went ahead and tried your code and it still returns the "Standard User" type account.
So, that is not the solution.

I took your "Standard User" quote literally.
Something in the event is telling you that this Administrator is not really an admin. You need to teach Splunk how to spot that indicator.
NOT tells Splunk to ignore events that contain whatever follows.
!= looks for a specific field. foo!=bar will return events that have a field called 'foo' the value of which is not 'bar'.

I have used a text comparison tool to compare the differences btw the data returned for an admin account created vs. a standard user account created but found nothing that identifies an account/user as admin or not.

Have modified the query to check for eventcodes 624 and 626,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4722 OR EventCode=624 OR EventCode=626) AND Account_Name=Administrator

I am not sure on how to find this. Is there a way for me to add more data being displayed/returned?

I am working on C# code to handle the result of the query...

Thanks for the suggestion and help with the NOT/!=

Since I could not find a way to retrieve the account type, I am currently just retrieving new accounts created and also retrieving EventCode=636(Security Enabled Local Group Member Added) and EventCode=4732 (A member was added to a security-enabled local group).

These events will tell me what groups the created users were added to.
Since I am writing c# code I can retrieve only the users that were added to the Administrators group.

Current search query,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4732 OR EventCode=624 OR EventCode=636 ) AND Account_Name=Administrator