On either the DC or the LM collector, in the event log you're looking for Security:4625 and Security:4740 events.
These will contain a Status and substatus that will tell you what specifically is happening. The 4625 for the service account that occurs just before the locked is the reason it's locking out.
4624 - Auth Success
4625 - Auth Failure
4740 - Lockout
4767 - Unlock
4624 - Logon
4634 - Logoff
# Failed Logon Event Codes - 4625 - https://system32.eventsentry.com/codes/field/Netlogon%20Error%20Codes
0xC000005E There are currently no logon servers available to service the logon request.
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015B The user has not been granted the requested logon type (aka logon right) at this machine
0xC00000DC Indicates the Sam Server was in the wrong state to perform the desired operation.
0xC000018D STATUS_TRUSTED_RELATIONSHIP_FAILURE