@Techno89 Thanks for sharing the screenshot, it now makes sense. The reason you are not able to use userPriniciaplname is because it is not a direct attribute in result but under another entity. See the screenshot below to understand :
So in order to fetch that you have to go via InitiatedBy then user and then the userprincipalname.
Here is the modified query from my lab which will give you who performed the password change, you can modify it according to your need.
AuditLogs
| where OperationName == "Change user password"
| extend Actor= InitiatedBy.user.userPrincipalName
| project Actor, TimeGenerated
-----------------------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.