The problem I see is this: when an account is enabled, there's nothing in the logs that indicates the reason it was disabled. In an account disable event, there is a distinction (lockouts vs. administratively disabled), but unless the disable and the enable happen fairly quickly (within minutes) the LEM's correlation engine isn't going to be a resource friendly way to achieve this.
One thing that might work for you would be:
- Create a "DeadUsers" security group and move administratively disabled accounts to that group
- Add that group to LEM and use it for a rule correlation, such that "if an account from DeadUsers is enabled, let me know"
The problem then would be if a sneaky admin takes an account out of that group before enabling it, but you could alert off changes to that group (DeleteGroupMember) as well.