@John Maya Intertek Thank you for reaching out to us, based on my findings account performed by the actor can be retrieved from the audit logs.
Would recommend to check the below query if it helps to achieve the required info
AADUserRiskEvents
| where TimeGenerated >= ago(7d)
| where RiskDetail startswith "admin"
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, RiskState, RiskDetail, RiskEventType, TimeGenerated ,Source
| order by TimeGenerated desc
| join (AuditLogs | where ActivityDateTime <= now()) on $left.Source == $right.LoggedByService
| project UserPrincipalName, RiskState,RiskEventType, OperationPerformedPerson = InitiatedBy.user.userPrincipalName
Let me know if you have any questions, feel free to post back.