My user's password changed. Where are changes to cPanel passwords logged?
If a user used cPanel to change their password, you will see an entry in the /usr/local/cpanel/logs/access_log file:
10.1.100.99 - sean [12/23/2020:11:13:46 -0000] "POST /cpsess8663415612/frontend/paper_lantern/passwd/changepass.html HTTP/1.1" 200 0 "https://10.2.32.170:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0" "s" "-" 2083
Password changes will show up as post requests to the changepass.html script. This entry demonstrated when I changed the password for this user.
If a user changed their password using the Linux shell, this would not be logged anywhere except potentially the user's bash_history in the user's home directory.