Event logs – Your DC event log for security should give you the time and source of the offense that locks them out.
That said, we have seen this occur from another cause – ‘Synchronization’. We have users with roaming profiles and DFS and if they forget to clear ‘Sync’ on the workstation when they are finished, every restart trips their credentials. The local user just wants to shutdown/restart and cancels the ‘sync’ which the DC counts as a failed logon.
Finding a sheduled task from one of many workstations is complicated. Good luck.