You need to enable auditing for your domain controllers and servers. It's done using group policies:
Auditing for Domain Controllers:
1. Navigate to Start > Programs > Administrative Tools > Group Policy
Management.
2. In the Group Policy Management console, expand the Forest:
<domain_name> > Domains > <your_domain_name> > Domain Controllers node
3. Right-click Default Domain Controllers Policy and select Edit from the popup
menu.
4. In the Group Policy Object Editor, under Computer Configuration, expand the
Windows Settings > Security Settings > Local Policies node and select Audit Policy node
5. Set the Audit Account Management parameter to Success, and Audit Logon
Events and Audit Account Logon Events to Failure.
Auditing for Domain:
1. Navigate to Start > Programs > Administrative Tools > Group Policy
Management.
2. In the Group Policy Management console, expand the Forest: <domain_name> > Domains > <your_domain_name> node
3. Right-click the Default Domain Policy node and select Edit from the popup
menu.
4. In the Group Policy Object Editor, under Computer Configuration, expand the Windows Settings > Security Settings > Local Policy node and select the
Audit Policy node
5. Set the Audit logon events parameter to Failure.
Then check for events with id 4740 in the Security logs. Additionally you may use
Microsoft Account Lockout Tools or our free tool
Netwrix Account Lockout Examiner