Hi Marcos - the 'unable to resolve username' issue is a known issue with Windows event logging for services. The username was included in older OS's such as Server 2003 but the functionality was removed since Server 2008. The only way to audit who stopped/started a service is to setup the auditing on a per-service basis, so you may just want to configure the auditing on your most critical services.
When you stop a service, the event ID will be 7036 and the User will be N/A in the event log (hence the unable to resolve username in LEM)
If you follow the steps in this guide you can then start to monitor for Event ID 4656, which includes the action performed & by which user:
These events look like this in LEM (AccessRequested shows the 'stop the service' action)
Hope that helps!