Would need more information on what sort of monitoring is setup from your domain controllers...
I can break this down to two issues:
1) Passwords resets:
Assuming you are onboarding windows security logs, have you looked at Windows Event ID 4724/4723 for passwords reset?
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4724
2) Accounts expired or near expiration:
Assuming you are onboarding windows security events, there should be an 'Account Expires' field for a user related event, that you can try creating some analytics around.
... View more