Are root password changes logged?

Solution 1:

In the /var/log/auth.log there should be an entry like:

Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed

from here.

Do mind that once the log is full, your entries might be gone forever.

Solution 2:

In addition to BloodPhilia's response... sometimes those entries are in /var/log/messages or other files. It'd be best to try something like:

cd /var/log
grep -R -i passwd *

...to locate the entries.

As far as log longevity is concerned, here's the log archives for one of my unmodified Debian boxes. That is, default logging.

/var/log# ls -atlr auth*
-rw-r----- 1 root adm  35941 2009-06-21 06:47 auth.log.6.gz
-rw-r----- 1 root adm  78092 2009-06-27 06:25 auth.log.5.gz
-rw-r----- 1 root adm  72322 2009-07-09 06:25 auth.log.4.gz
-rw-r----- 1 root adm  18186 2010-08-08 06:47 auth.log.3.gz
-rw-r----- 1 root adm  18742 2010-08-15 06:47 auth.log.2.gz
-rw-r----- 1 root adm  23542 2010-08-22 06:47 auth.log.1.gz
-rw-r----- 1 root adm 271204 2010-08-29 06:47 auth.log.0
-rw-r----- 1 root adm 160744 2010-09-02 13:01 auth.log

As you can see, it goes back a while by default (in this case).