If the file has risk and violated DLP policy through share event, the incident generates on owner instead of actual user who initiated share activity. 

This is a limitation by Microsoft. Currently, the Office 365 Securlet will report the actual action performer performer in only 2 activities - Rename & Edit . All other activities will have owner information only. (Activity logs/ Policy logs/ DLP Incidents).