Account lockout
Microsoft provides some great add-ons which can help quite a bit with this. Here is a lint to those tools: Account Lockout and Management Tools
and here is some articles on how to use the tools: http://technet.microsoft.com/en-us/library/cc738772.aspx http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
The one which would probably be most helpful is the LockoutStatus.exe, as it will find all of the domain controllers in your forest/domain and return to you that last time in which there was an unsuccessful login attempt. It will also tell you if the account is locked on that DC, and provides you the ability to unlock at that site.
My first action would be to enable security loggin for failed logon and attempts on the domain security policy, this may give you some insight into what is causing the lockout.