Ok, a few terminology clarifications:

A local admin can not remove a computer from a domain.
A local admin however, can switch a local computer account to a workgroup.

This is problematic, because I do not believe the local system records if a workgroup membership is changed, and the domain controllers will be unaware that this change has been made.

On the other hand, if the user was a domain admin, the DCs would log Event ID 4743.

Your follow up questions:
You can run a script (via a UF) to enumerate the users of the local admins group and index this data. You could collect this data daily and then monitor for changes to this membership.

Once you have a list of the user accounts with local admin rights, you can then look for 4624 events which mention these users to see when they login - these will be local events - again not shared with the DC

Finding a list of computers removed - that's super complicated!
My best guess is that you want to query ldap for a list of all computer accounts and record their last login date (you will need to collect this from ALL domain controllers, because lastlogin is not replicated)
Then you need to compare this list to all computers which are sending events to Splunk. If something is sending data to Splunk, more than 24 hours after the last computer account domain login, you could 'guess' that it had been removed from the domain.

There are a lot of if's (and buts) in the above, and Splunk is probably not the correct tool on its own for this.
I could ramble on about how no-one should have local admin rights, and other policy/technical limitations, but bottom line is if your users are doing things they should not be doing - you need to address that by removing their ability to do so.