Audit success and failure events in the system event category
Audit success events in the policy change event category on domain controllers
Audit success events in the account management event category
Audit success events in the logon event category
Monday, August 13, 2007
Here is dated, but still insightful doc on "Auditing Security Events 'Best Practices'." It covers event log collection and analysis, as recommended by Microsoft (the list is sadly incomplete - there is certainly much more stuff to look at in the Event Log). Example recommendations:
On "Auditing Security Events 'Best Practices'"