Windows
Event logs
📂 %system root%\System32\config\SecEvent.evt
📂 %system root%\System32\winevt\logs\Security.evtx
It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group). This account must be enabled (4722) before it can be used. You might see 4738 (account was changed) or even 4724 (password reset attempt).
✍🏻
4728- member was added to a security-enabled global group.✍🏻
4732- member was added to a security-enabled local group.✍🏻
4756- member was added to a security-enabled universal group.
🔑 Registry
📂 C:\windows\system32\config\SAM
📂 SAM\Domains\Account\Users
🐾 account usage 🐾 last time the password was changed
⏰ Only the last login time will be stored in the registry key.