This Splunk query shows when the admin account performed Account Modification / Deletion / Creation actions:

index=_audit user=admin action=edit_user operation=* | table _time user operation object*