Ultimately we have the following report that would capture this information:
- Administrator Activities Report
However the data only goes back 7 days because via the default archive settings:
PAM UI >> Settings >> Credential Manager >> Auto-Archive
If the data is archived and then if either Syslog Forwarding or Splunk Forwarder enabled, look into their logs. He
host="<pam primary ip>" OR host="<pam primary ip2.>" OR "<pam primary ip3>" "audit DETAIL Target.Account" "User.name=<target user>" "Update.User"
This will advise (highlight) the Update.User -> who last updated that account.