As an administrator you can validate the AD audit logs or events from DRA, and view the corresponding actual user name on the Change Guardian event list.
Perform the following steps to validate the actual user name in AD security logs and confirm if the event has originated from the DRA:
Open the Event Viewer window in Domain Controller computer, and navigate to Windows logs > Security.
Click Filter Current Log and specify the following event IDs: 5136, 5137 and click OK.
Click Find and specify the username you want to validate for DRA operation.
Click on the event, go to the Details > XML view:
If you find dra-event in the value field of <“AttributeValue”>, you can conclude that the AD action is made by the specified user.