This is a script I run periodically to hunt down any local accounts on organisational devices. It returns with the device name, the name of the local accounts with admin and the amount of accounts present on the device. Removing the timestamp and adjusting the timestamp manually allows you to narrow down when the account was active.
DeviceLogonEvents
| where Timestamp > ago(30d)
| where LogonType == “Interactive” and ActionType == “LogonSuccess”
| where AccountName !in (“defaultuser1”, “admin”)
| extend Device = split(DeviceName, “.”)[0]
| where Device == AccountDomain
| summarize [‘Local Accounts with Admin’]=make_set(AccountName), [‘Count of Admin Accounts’]=dcount(AccountName) by DeviceName
| sort by DeviceName
David Williams Technical 