Have you tried something like this...

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
| fields EventCode, Account_Name, Account_Domain
| eval admin_Account_Name=mvindex(Account_Name,0), admin_Account_Domain=mvindex(Account_Domain,0)
| eval user_Account_Name=mvindex(Account_Name,1), user_Account_Domain=mvindex(Account_Domain,1) 
| eval user = user_Account_Domain. " \\ ". user_Account_Name
| eval admin = admin_Account_Domain. " \\ ". admin_Account_Name
| table _time, user, admin
| sort -time
| rename  user as "Password Changed for account", admin as "Changed By"