To do this I use
correlations
DeleteDomainMember.ProviderSID = *4726* AND DeleteDomainMember.EventInfo NOT= *$*
The $ bit just filters out machine accounts
other useful ones are
Disable accounts
Userisable.ProviderSID = *4725* AND UserDisable.EventInfo NOT= *$*
Add to groups (works with removed too)
Auditable Group Events.EventInfo = Member "*" added to group "DOMAIN\Group Name"
And a really useful one is when Domain Admins change passwords for users
UserModifyAttribute.ProviderSID = *4724* AND UserModifyAttribute.EvetInfo NOT= *$*
a useful resource is Randy Franklin Smith's Ultimate Windows Security He is the guy who makes the logbinder tool that is useful for LEM too
On his site are descriptions of all the windows Event IDS (Provider SID)
I hope this helps