It depends on what information you have ingested into your Splunk environment.
Splunk is "just" a data processing tool. You have to feed it with data. If you have your AD logs in Splunk, you can search them but while there might be some people around here who have more experience with MS systems, it's generally more of a AD-related question how to find that info than it is a Splunk Question. You must know what to look for.
If your data is properly onboarded and CIM-compliant, you can look through Change datamodel (if I remember the syntax correctly)
| datamodel Change Account_Management.Locked_Accounts | search user="whatever"
I'm not sure though if it will only find the lockout event as such or will it contain the reason as well.
