It is found that a member in Endevor is missing. We guessed that some one is deleted the member from Endevor.

Is a way to check that which time and who do it?

Release : 18.0

Firstly we need to check if you have SMF logging enabled in C1DEFLTS TYPE=MAIN by parameter SMFREC# and SMF action recording is enabled for the environment from where the element was deleted. Then CONRPT42 43 can be used.

If SMF logging was not enabled, then the action may still have been logged to some home-grown logging system by an user exit 03.

Last chance would be from RACF. If you use external security and RACF logs the security checks done by endevor, depending on the security checks implemented onsite for endevor actions, you might get some clue by examining RACF records.

To see whether the security checks done by endevor could be of help for this purpose, run a test DELETE action with EN$TRESI trace.
If the action was performed by a package AND the package is still present in the package dataset- package detail report CONRPT72 should show the action.

The CSV utility provides function LIST PACKAGE ACTION with information about actions executed by packages.

The information remains in the package file until the package is deleted (package commit does not clear this information). Once a package is deleted, if it has been copied into a package archive dataset, report CONRPT58 contains the same information as CONRPT72.