you can see password changes in the messages file, for example just grep for "pass"
[Expert@fw1:0]# grep -i pass messages
User admin changing password interactively:
Jun 4 05:13:23 2018 fw1 xpand[16234]: User entry created for "admin" in the password database
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p -passwd:admin:lastchg 1507809353
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p +passwd:admin:lastchg 1528100003
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p -passwd:admin:passwd ********************************
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p +passwd:admin:passwd **********************************
where 1528100003 is the EPOC time you may convert with any tools, for example
date -d '1970-01-01 UTC + 1528100003 seconds'
Mon Jun 4 05:13:23 ART 2018
Expert password set with hash instead of interactive:
Jun 4 06:55:47 2018 fw1 clish[13821]: cmd by admin: Start executing : set expert-password-hash ... (cmd md5: ecb7a46d62f313d7f1cc2bc0dacbfbd9)
Then generating alerts would be up to you - you can write scripts, do polling etc depending on the destination of the alert