Trying to figure out how password was changed

Trying to figure out how password was changed

We have a user who is basically retired, so he does not have a computer assigned to him. I show a password change for him on our network, on one of the domain controllers in our primary office, not the one in his home city. ADAudit gives the caller user ID as his username and a successful password change. But I cannot find anything as to which system the password change occurred from Any thoughts on narrowing this down? All I see in terms of logins is Activesync type, from his iPhone.

                New to ADSelfService Plus?