Hi gharpe2
AFAIK you cannot see this kind of information in the WMI: Security event log and therefore you cannot search for it. maybe you can use a scripted output to read the users permission and feed that into splunk to make it searchable.
cheers