This isn't going to answer the precise question you asked but I think you can get what you are looking for.
Based on information in the NSA's Spotting the Adversary with Windows Event Log Monitoring document I came up with the search below to show all logon activity. If you have a lookup or some other way to associate the logon id with the computer name you could pipe it to where and identify when someone is using a logon on a computer that they "shouldn't".
Note that you'll need to modify it for your environment and I have the time range as part of the query. I'm sure the search could be improved too.
Hope this helps.
index=your.windows.event.log.index earliest=-d@d latest=@d (EventCode=4624 OR EventCode=4648 OR EventCode=4625) (Logon_Type=3 OR Logon_Type=2 OR Logon_Type=7 OR Logon_Type=11) Account_Name!="ANONYMOUS LOGON" | eval LogonAction=case(Logon_Type=2, "Interactive Logon", Logon_Type=3, "Network Logon", Logon_Type=7, "Unlock", Logon_Type=11, "CachedInteractive") | search Account_Name!=- | rex field=Account_Name "(?i)(?P(.*[^\$]$))" | table UserName Security_ID LogonAction Keywords ComputerName _time Logon_Process Process_Name Caller_Process_Name| mvexpand Security_ID | search Security_ID!="NT AUTHORITY\\SYSTEM"
... View more