This splunk query will return changes to any group in a windows environment.
You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/
Windows Server 2003 and older:
sourcetype=WinEventLog:Security (EventCode=636 OR EventCode=632 OR EventCode=650 OR EventCode=655 OR EventCode=660 OR EventCode=665) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, host, Type
Windows Server 2008 and newer:
sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4732 OR EventCode=4746 OR EventCode=4751 OR EventCode=4756 OR EventCode=4161 OR EventCode=4185) | eval Date=strftime(_time, "%Y/%m/%d") |rex "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)" | rex "Account\sName:\s+(?<SourceAccount>.*)" | stats count by Date, TargetAccount, SourceAccount, Group_Name, host, Keywords | sort - Date | rename SourceAccount as "Administrator Account" | rename TargetAccount as "Target Account"