The _audit index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc). Look for action=update. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.