Ideally you would want to have an internal event match, such as Event ID 407912448, to alert you to changes in admin level accounts.
Go to the "System Properties menu, "Alarms":
In Alarm Settings - Summary: Name, Conditions - Internal Event Match, Actions - Log Event, Create Case. Check "Enabled" box and assign a severity.
In Alarm Settings - Condition: Internal Event Match, Field - Normalized ID, Values - Event ID to trigger on, such as the one above. Set the frequency at 10 minutes to start.
In Alarm Settings - Devices: No need to check anything here.
In Alarm Settings - Actions: Choose to Log Event, Create Case, etc., as desired. In this tab you can use the "Send Message" checkbox to send an email to a recipient.
In Alarm Settings - Escalation: Again, choose as needed if so. If not, leave empty.
Click "Finish" and your alarm is set.
Where do I find the correct Event IDs for the admin lockout or admin user change?
Did you find the event ID ?
There is no special Event_ID for an Admin Lockout. But there is an Event ID for a Lockout for a Windows Account.
--> Event ID 4740
So now you need a list of all Adminaccounts (Watchlist)
Configure your alarm to take a look on the list if is the user from the Event log in this watchlist.