Hello there,
The simplest way would be to capture the 4648(S) Event ID and trace the credentials that were being used when this Event ID is triggered.
This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
4648(S): A logon was attempted using explicit credentials. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
This event is also logged when a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.
---------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–