Identifying which admin changed another admin's privileges
Have a bit of a people issue and one user who has admin has changed another's privileges from admin to standard. This is a university setting, but the student association not the university's network; I am the parent of the user who was (temporarily) demoted; some experience as a user but not admin using Linux and Apple systems (as well as Windows)...
The root user did not do it and privileges have been restored; current root user is not experienced as a sysadmin though. Does OS X keep log files which would show who made this change? assuming so, which log file(s) would need to be examined to get this information (I take it one needs to look at the asl logs through Console - but which logs?) I do not have access to the system and need to describe this to those who will do it...
Any help would be appreciated.
You may also be able to glean some info from the BSM audit logs. The log files are in /var/audit and are viewed with praudit(8). I don't know the format of the audit record for changing an account, but there should be some clues. You can check the date range and look for privilege escalations. The text section may have mentions of the '/Local/Default' node.