Password Change audit

I’m just wondering if there is a way to audit when someone changed a user password, specifically when using the default (internal) user source.

I have a site where they claim that the passwords are changing all by “themselves” and have to be reset and its Ignitions fault.

I’m guessing there is a “fiddler” having a bit of fun and I need to catch them.