You can search the _audit index for user changes.

index=_audit sourcetype=audittrail action=edit_user

Then you can specify a user that you are looking for or the "object" that was changed.

example output:

Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=granted object="james" operation=edit][n/a]
Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=succeeded object="james" password_changed=false realname="james johnson" email="[email protected]" roles="admin+power+user" password_state="" unlock_user=1 , default_app="launcher", ji=""][n/a]