Using PowerShell:

Perform the following actions on the Domain Controller (DC):

1. Press Start, search for Windows PowerShell, right-click on it, and select Run as administrator.
2. Type the following script into the console:
   Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4726} | Select-Object -Property *
3. Press Enter.
4. This script will display deleted user accounts. In the output, under Message > Subject, the Account Name and security ID of the user that performed the deletion on the target user can be seen.

Note: If you are using a workstation, the following script should be run on PowerShell:

where is the name of the DC where you want to check if the deletion took place.

Using the Event Viewer

1. Press Start, search for Event Viewer, right-click on it, and select Run as administrator.
2. In the new Event Viewer window, navigate to Event Viewer > Windows Logs > Security using the left pane.
3. On the right pane, click on Filter Current Log.

4. In the new dialogue box, enter 4726 in the field labeled <All Event IDs>.

5. Click on OK.
6. Here, you can see a list of events corresponding to user account deletion. Double-click on an Event ID in the list to view its Properties.
7. In the Event Properties window, in the General tab, under Subject > Account Name, you can see the user that performed this deletion.

Note: If you are using a workstation, in the Event Viewer, right-click on Event Viewer (Local) on the left pane, and click on Connect to Another Computer... and enter the name of the DC in the following format:

The above two methods are complex and the insight provided is limited since it is impossible to keep track of each event as it occurs.