Give this a try
Updated

index="wineventlog" host=opdc* Account_Name=*test_user EventCode=4624 
 | makemv Account_Name
 | mvexpand Account_Name
 | eval day=strftime(_time, "%d-%m-%y") 
 | join type=left src_ip 
     [ search index=ad source=addnsscan earliest=-12h@h latest=now 
     | rename data as src_ip, name as hostname
     | fields src_ip, hostname] 
 | stats earliest(_time) AS earliest by Account_Name, src_ip, hostname, day 
| eval offset=strptime("00:00Z","%H:%M%Z")-strptime("00:00EDT","%H:%M%Z")
 | eval earliest=strftime(earliest+offset,"%d/%m/%Y %H.%M.%S %Z")
| fields - offset