Creation (useradd) is logged to whatever syslog logs to (also check logrotate: syslog retention). Changes I don't think are logged and certainly not who changed it (changing implies one has root rights).
Your distribution release is obsolete. Didn't you read the EOL notes years ago? It's unsafe.
If you want a "better" commandline audit trail, wrap what any logged on user does in Rootsh or Sudosh. Or patch kernel with GRSecurity in verbose logging mode (execs) or patch kernel with any other exec logging kernel patch. Rootsh or Sudosh is less invasive, needs less configuring and should suit your needs.
|