The following has been added to known issues:

SPL-199409, SPL-199691: Windows EventLog SIDs no longer resolving after upgrade to 8.1 

Splunk Devs acknowledged the bug (I work with @abaumbusch) and provided the following workarounds:

• replace the splunk-winevtlog.exe binary on an 8.1.x forwarder with a copy from an 8.0.x forwarder, OR
• set 'use_old_eventlog_api' to true for any WinEventLogs that need the SID/GUID translation. It was found that this issue does not affect any channel where 'use_old_eventlog_api' is enabled.

I opened a support case with Splunk, but research on their end is still ongoing. They thought the issue might be with Windows machines on older versions of the OS (e.g. 2012), but we are seeing this on 2016 servers as well. If I do get a solutions from them, I will make sure to post it. Thanks for your response!

Have you managed to resolve this?

I have this exact same problem, unfortunately haven't found any other solution than downgrading to 8.0.x

Enabled DEBUG logging but can't find any indication of what is failing, following this article here https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/MonitorWindowseventlogdata suggest 

"If you discover that SIDs are not being translated properly, you can review %SPLUNK_HOME%\var\log\splunkd.log for clues on what the problem might be. Problems with SID translations appear in the DsCrackNamesW API, which appear at the DEBUG logging level for splunkd.log, in the ExecProcessor log facility. For information on how to set the DEBUG logging level to see debug logs, see Enable debug logging in the Troubleshooting Manual." 

Any suggestions appreciated!