There are many events that can be selected to monitor. Some of the recommended ones are:
Audit Account Management - to determine when a user or group is created, changed, or deleted. When a user account is renamed, disabled, or enabled. Or when a password is changed on a user account.
Audit Directory Service Access - provides a low-level audit trail of changes to objects in AD. This is like Audit account management, but you can identify exactly which fields of a user account or any other AD object were accessed. Audit directory service access is the only way to track changes to OUs and GPOs, which can be important for change-control purposes.
Audit Logon Events - defines the auditing of every user attempt to log on to or log off from a computer within the domain.
Audit Policy Change - determines whether the operating system generates audit events when changes are made to audit policy.
Audit Privilege Use - tracks the exercise of user rights.
Audit Process Tracking - tracks each program that is executed, either by the system or by end users.
Audit System Events - eclectic mix of system events relevant to security including system start-up and shutdown, or when an event occurs that affects either system security or the security log.