I want to have a report when an account is created in active directory?
How I can process it?
see my answer in https://answers.splunk.com/answers/776027/how-to-display-a-modification-on-the-active-direct-1.html
Anyway, you have to search in Splunk the EventCode=4720:
but the problem is that usually you haven't these EventCodes because this audit isn't enabled by default in Domain Controllers, so you have to enable it following instructions in my answer.