Blsanner, yes, you're correct. Looking in the host machine's logs, I see an informational entry at the correct time stamp: Event 1704 "Security policy in the Group policy objects has been applied successfully." But there are a lot of entries for Event 1704; only this one triggered an alarm.
My default domain GPO is set to audit logon events -failure only. My default domain DC GPO audits several items, including policy change. This host in question is not a DC, so I wouldn't expect those other audit events to be enabled (unless I misunderstand).
Wolram-- when you say it's logged as a change, do you mean that even though the other audit events are not enabled, logging will treat that as a "change" and list them out as disabled?