XP admin pwd changed. is there a log?

Hello all,
I'm a network admin at a small private school (for 1 class period per day). Apparently some rougue student has found a way to change the local admin pwd. I've since disabled booting from CD, USB, and floppy. I've now installed a Bios password as well.
Normally students log-in on our domain, but some savvy student figured a way around this. I logged in with a seperate account and changed the local admin password again.

I wonder, is there a log that would detail when a specific admin password has changed? If it doesn't necessarily mention a pwd. change, then possibly some other event that might help me narrow down the field?
If Windows has such a feature it would greatly help me in tracking down this student. What type of things should I be looking for in the event log?


Thanks,
Zach

 

Thank You.
That will definitley help in the future. Are there specific processes I might check that are already noted in the system eventlog or the application event log that might help me do some forensic work?

Zach

 

I already have a list of possible suspects. I'm trying to nail it down to one of two class periods.
Yes, the domain logs user access. I don't think the PWD was changed due to a login attempt, but rather a boot disk of some sort. That's why Bios pwd has been set and the machine will now only boot from the HDD.
I don't believe the student actually logged into the domain, This was done to the local admin account. Does the domain keep logs of who logs in even on local computers?