There are possibly a few ways you could check, all depends on how PA exposes the version numbers.
1) NPM: Custom Universal Device Poller. See if those versions are exposed via SNMP. I'd be surprised if they were since it's more of a security appliance.
2) NPM: See if PA can generate an SNMP trap when those get updated.
3) NCM: See if version numbers are available via the CLI/config and watch for changes.
4) SAM: If there is an API available for those PA's that you could reach into to view version numbers.
I did more digging this afternoon and it appears that all the version I want to watch are in the SNMP OIDs so I am good to go.
I will be using NPM with some type of an alert on change