If enabled, all setting changes for all profiles and for System Wide Settings are written to the logs/audit.log file in the installation directory. This includes where the event came from, which account did it, which profile (if applicable), and what changed. Certain other events are included as well such as logins, logouts, failed logins, ACL-restricted events, profile creation/deletion, etc.
Note: While known sensitive fields (e.g. Login Info) have values redacted, other sensitive data may nonetheless be logged (e.g. URLs). See also the per-profile setting Audit Logging (section 4.5.88, here).