Anyway to tell what process is trying to use credentials?

Anyway to tell what process is trying to use credentials?

We have a domain account that is being locked out via 1 of 2 servers. The
built-in auditing only tells us that much (locked out from SERVER1,
SERVER2).
The account gets locked out within 5 minutes, about 1 request per minute
it seems.
I initially tried to run procmon (from sysinternals) to see if any new
PROCESS START were being spawned after I unlock the account. Nothing
suspicious comes up. After running procmon on my workstation and elevating
to a UAC shell (conscent.exe) it seems like from the stack that ntdll.dll
and rpct4.dll get called when you try to auth against AD (not sure).
Is there anyway to narrow down which process is causing an authentication
request to our DC? It's always the same DC so we know it must be a server
out in that site. I could try looking for the calls in wireshark, but I'm
not sure that would narrow down which process is actually triggering it.
No services, drive mappings, or scheduled tasks are using that domain
account either -- so it must be something that has the domain creds
stored. There are no open RDP sessions with that domain account either on
any server (we checked).