From E1: SEC: Security History Review On Event Type (SHEVTYP) 04 (Doc ID 1300235.1)
There are 2 reasons to log an Event Type of 04:
System Administrator Change is written to the F9312 (Security History) table when the System Admin performs a password change for a user. This event is usually triggered when the user has forgotten their password.
The User changes their password. When a user changes their password, an internal security function (F98OWSECUpdateOWSecurityInternal) is called to update tables F98OWSEC and F9312. This type of password change is logged as administrative in both tables. This is working as designed.
Following is the list of UDC 98|ET (Event Types):
13 Add User/Role Relationship - User/Role Relationship record is added in F95921 (P95921 - User/Role Relationships)
14 Remove User/Role Relationship - User/Role Relationship record is removed from F95921 (P95921 - User/Role Relationships)
15 Modify User/Role Relationship - User/Role Relationships record is modified in F95921 (P95921 - User/Role Relationships)