In current implementation, any changes made to the environment will not likely be logged within Splunk, certainly not in _internal et al. If you make changes via config files outside the UI or API, those things actions and changes can't be logged within Splunk.
You can ingest the files themselves to compare _raw or even single line values, depending on your parsing preferences. However, it might be useful to have an external tool create hashes of all the files and store a log entry into Splunk with the hash, full path, and other metadata about the files. Then you can more easily report on changes to any of these files, including users.