Hi @Jerry Su ,
For the question you posted:
1.The admin audit log could record information about run “Search-Mailbox”, include who run the cmdlet, when run the cmdlet ,modify who and so on. The admin audit log is enable by default.
2.We couldn’t set the alerts if someone execute search-mailbox, but the “Search-Mailbox” is available only in the Mailbox Search or Mailbox Import Export roles, and these roles aren’t assigned to any role groups by default. If you want to using this cmdlet, you need to add one or both of the roles to a role group. So if you don’t want someone to running “Search-Mailbox”, don't assign the role to that user.
For the question about Search-AdminAuditLog:
1.Please run the following command to view the settings of Admin Audit Log, especially the “AdminAuditLogEnabled” and “AdminAuditLogAgeLimit”.
Get-AdminAuditLogConfig
2.Please make sure the account have the correct permission, then you also could create a new user mailbox, the add this user to Records Management Role and Organization Management Role, then run the “Search-AdminAuditLog” command with this user account for a test and see if there have result.
3.Please run the following command to view whether the arbitration mailbox named SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} exists.
Get-mailbox –arbitration
In addition, this phenomenon is a known issue in Exchange 2016, please refer to the following link to fix it: Empty results are returned when you run Search-AdminAuditLog or Search-MailboxAuditLog with a parameter in Exchange Server
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.