Probably needs tweaking, but these should give you some ideas...
Simplest approach
Look over some period for any cases where one IP address has more than one MAC address:
eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
| search MACCount > 1
Track all New MACs for a given IP
Search 1 -- Tracking:
eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
| outputlookup arplookup
Search 2 -- Alerting:
eventtype=foo | dedup senderIP, senderMAC
| lookup arplookup senderIP OUTPUT senderMAC as oldMAC
| search oldMAC=* NOT senderMAC=oldMAC
Track all New MAC-IP Pairs
This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...
Search 1 -- Tracking:
eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
| fields senderMAC,senderIP,knownpair | outputlookup macpairs
Search 2 -- Alerting:
eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
| search NOT knownpair=1
