Hello @GenePHL, welcome to the MongoDB Community forum.
This is some basic information.
The server logs (Log Messages) have the information about all the actions on a server. Logs have timestamps and log components specifying the functional categorization of the messages. I see that the mtools (a tool which is used to study logs, apply filters, format, etc.) can be used to get relevant information, for example the authentication / access by a particular user on a particular date/time.
The user authentication and authorization (MongoDB Security) when enabled and configured will provide who did what and when information in the logs. Security can also control which individual or groups can do what - in an organized and centralized manner.
Also see Security Auditing and a related post: Update auditLog configuration without restart.