Hello,
Thank for you reaching out.
If you have already enabled Events logs GPO settings applied.
Event logs might save you. 4728/4729 A member was added/removed to/from a security-enabled global group 4732/4733 > A member was added/removed to/from a security-enabled local group 4756/4757 > A member was added/removed to/from a security-enabled universal group 4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list) 4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list) 4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)
Get-EventLog -logname security | Where-Object {($.eventid -eq 4732) -or ($.eventid -eq 4733 ) -or ($_.eventid -eq 4746)} | select EventID,MachineName,EntryType,Message,InstanceId,TimeGenerated,Timecreated,UserName | fl | export-csv -path C:\templogs.csv
Hope this helps.