If you have access to the content packs, there is a domain policy view and correlation rules.
You can modify the correlation rule to include a sequence, looking for first user added to security-enabled group, followed by user removed from security-enabled group
If you co not have access, or have an earlier version of SIEM, you can use these signatures in a similar way
these signature show members added to security groups- (Windows 2008)
4756 member added to security enabled universal group 43-263047560
4732 member added to security enabled local group 43-263047320
4728 member added to security enabled global group 43-263047280
then you can get the signatures for removal from a group
and create the same sequence
Note that the correlation rule references the object - Domain Policy - Security Groups, which is a watchlist. You may need to add to that list.
As for the second part - User account changed policy-
To my undrstanding, the Windows Event ID that shows this only shows the computer, not the user.