Your filter will look for any username in any of those AD groups or the "Admin Accounts" user-defined group to appear as the Source or DestinationAccount of a UserLogonFailure event. It might not be pretty, but it should work.
Logon failures are a tricky beast where you have to have agent/log capture presence on the endpoint people are logging on TO to get the full detail. Sometimes things will get pushed back to AD so coverage on the DCs is still important (and might catch it in some detail as well). Where was the person testing the logon failure? On a server with an agent or on their workstation?
Next thing would be to make sure you're seeing Logon Failures at all from your infrastructure, especially DCs. It's possible the audit policy does need to be tweaked, so you can test with Logon Failures and/or check the audit policy directly. Make sure that the logon related audit policies are at least set to 'failure' so you'll catch failures.
It's possible the way those account names are being logged in the failures you are catching isn't quite matching how the usernames appear in the groups, but that seems less likely than either the events aren't being generated or aren't being caught. You could also check the event logs directly on the system/DCs to see if any failures were generated (that would mostly tell you your LEM-side config needs love rather than your audit policy).