I get the windows event codes from https://www.ultimatewindowssecurity.com/
Ones I use are
Domain Admins Group additions and deletions using Auditable Group Events.EventInfo" = Member "*" (added/deleted) from group "XXXXXXXX\Domain Admins"
This emails me when users are added or removed from domain admins
Domain passwords changed using Admin privileges using UserModifyAttribute.ProviderSID = *4724*
This emails me when an admin changes a users password
Create email templates to fill in the who and when and where from details