To determine the UserName that changed the Administrator password, perform the following on the PDC:

1. Enable Success and Failure audits for File and Object Access using
   User Manager for Domains / Policies / Audit.

2. Using Regedt32, select the SAM key in HKEY_LOCAL_MACHINE and use Security / Permissions
    to set Full Control for the Administrators local group. Check Change Permissions on Existing Subkeys.

3. Navigate to HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4, select Security / Audit Permissions
   and add the Administrators local group to the list. Select this group and enable Success and Failure auditing
   for Set Value events on this and all subkeys.

When a change is made to the Administrator account, the event:

ID: 560
Source: Security
Type: Success Audit
Category: Object Access

will indicate the UserName.