Is this for on-premises or Exchange Online? Generally speaking, you need to check the Exchange Admin Audit log and/or the Unified Audit log in Office 365. You will also need to cover the "AD" part, as they might have deleted the user object directly.