You would need to monitor an output that contains the list of local admins, and that does not happen automatically on Windows systems.
You could create a script to run on a schedule that generates a list of local admins, and read that data into Splunk. The command to run in the script would be this I think:
net localgroup administrators
Thanks that looks like it works. But how would I output this to a file? Can i create a new file in the Splunk forwarder directory on the remote server?