This should find successful password changes.
user will be the user that initiated the change,
object will be the user that was changed.
index=_audit action="password change" info=succeeded
That's too little info. What exactly did you do, and what happened? The search doesn't run? It doesn't return any results? It doesn't return the expected results? You should at least check the following: do you have the permissions to access
_audit? Are you on a distributed environment and is the content of
_audit forwarded to your indexers?