In CUCM the Audit Log (which captures all logins and what that login did) is enabled by default. You can use the RTMT to look at the Audit Log and do a search for "rmuser". The activity where the application user account was changed should be captured.
The two ways to look at the Audit Log are with the Audit Log Viewer tool in RTMT or by pulling the raw Audit Log. Of the two, I think you might have better luck with the raw Audit Log file because you can do a straight text string search. The search feature of the Audit Log View tool in RTMT is good but not awesome and you may not hit what you are looking for.