I actually filed an enhancement request for this exact thing at the conference, but the more you file, the more attention it gets :). Also put in your business case when you put it in, it helps them know what it is used for.
Another thing you can try is use fschange on /splunkhome/etc/users/ directory. This way you could use the DIFF command for the files within to see what changed. I doubt you would be able to tell WHO changed it though.
So, by the first reply, you can possibly see who changed user privileges, and by the second one you can tracked what was changed.
I think this is as far as we can presently go with splunk.
See if this other thread helps you out: http://answers.splunk.com/questions/2286/search-for-deleted-splunk-users/3346#3346
Granted deleted vs modified is a bit different but im assuming it could be done in a similar way?
i think that is all the logs will be able to tell you. If you want more info you can file an enhancement request.
Yes, this tells me that a particular user modified another user but it doesn't seem to tell me what was modified.
Yeah, probably a POST instead of DELETE to the endpoint