We had a user recently that was repeatedly locking out. I find this is typically from an old password on a phone, or a mapped drive with old stored credentials, though it could just be from another computer the user has forgotten about that they are logged in to.
A great starting point is the Account Lockout Status Tools. Microsoft provides those for free download on their site at the following URL:
When you load the program, click on File, and then click on Select Target
You will need to supply the username of the user you are looking into as well as your domain. When you press ok, the tool will return the lockout status of that user on all of your domain controllers. This includes the current state, when the last incorrect password was entered, as well as how many times.
You’ll want to see which domain controller is reporting bad password counts and the most recent last bad password and check the event log on that machine.
You can filter that log by event id 4740.
The event log entry will show a number of details, but the Caller Computer Name will be the device name that instigated the lockout.