Building your own auditing is pointless - you'll never be as accurate as a kernel-level well-matured Linux tool built for exactly this purpose. Why re-invent the wheel? Connect Splunk to the wheel for added horsepower 😄
Splunk wouldn't really be an ideal tool for this from my view. But you can do this with splunk. Write a simple script which will basically do an ls -l and run the script every 10/15 mins. Once the data is in splunk you can write searches which will check its previous state and the present state and if it changes send an alert.
Now the reason why Splunk isn't the right tool to do it.
You will be ingesting pretty decent amount of data to find a change of permissions