This Splunk query shows when the admin account performed Create or Modify Roles actions:

index="_audit" action=edit_roles operation=* | table _time user operation object*