AD Account Lockout Tools

I have a user that continues to get locked out. What are the best tools available to find the source of the problem? I have downloaded the Microsoft Account Lockout tools but that just confirms what DC is getting locked out, the date and time of the occurrence. I would like to find out the source IP or Device. Is there a good way to do this via Powershell?

I had the user turn off his machine and delete all Office 365 products from his phone. Its possible he may be logged on to a server somewhere with his old credentials.