you need to ask your data center (whoever is asking for this) to identify what kinds of transaction they are interested in. For instance, in windows, the user creation event might be represented by a Windows event code 4724 or 624. Within Active Directory, it might be represented by 4720, 4722, 4724 and/or 4738. Th logon might be a 528 or 4624. It also might be ssh/putty or other remote logons.
On the other hand, on various linux machines, you will need the wording of the actual events. are they looking for su and sudo events, pam records, or something else?
If no one around you can tell you the format you are looking for, then you have to look for yourself.
Log off, log on, then look for the records in whatever index someone says they ought to be in. Here are some other suggestions in the answer to this one:
https://answers.splunk.com/answers/548689/is-it-possible-to-monitor-sudo-and-root-users-usin.html
here is some language that someone wrote to search out this kind of data. some of it may be useful to you.
https://answers.splunk.com/answers/617340/how-can-i-tie-together-windows-logon-and-linux-ssh.html
user has created new user from splunk UI and logged in with new user in UI console.
What logs you're searching on?