LEM alerts you based on the events that it receives, so I would track it back:
With the e-mail track it to the event and node that's alerting you, check the event in ndepth to make sure that it's there (it pretty well should be, but this can give you more information) and from there you can check the Tool Alias, Provider SID, Detection IP and so on to get you the log and information on the machine and I would check the local logs on that machine.
If you aren't seeing the logs then I would suspect an issue with the rule correlation and double check that.
If you see the event logged locally then that would explain why you're getting alerted, why it's being logged is another question entirely.
Do you have a tool that will show you the history of the account? Do you have a policy that will unlock accounts automatically after a certain amount of time? These can all provide clues as to what is actually going on.