This Splunk query should show which users attempted to modify an index and if that action was successful:

index=_audit user=* action=indexes_edit | stats count by index info user action