I've achieved this in the past by monitoring for syslog messages (using the Solarwinds Syslog Viewer) which contain the relevant message text. An action is then set to fire an email alert containing the original syslog message.
I then noticed that you're using LEM of which I have no experience - so my original comment may be unhelpful here.
*** Disclaimer ***
This was only tested on a Cisco ASA, accessed via ASDM and SSH but here's what I found...
*** End Disclaimer ***
Here's what I came up with as far as an nDepth search for finding when someone is entering a configuration terminal. I'd assume something similar could be done for enable and also other devices by updating/adding the ToolAlias.
One important thing to note is that the Detection IP will be filled based on whichever interface the LEM node is setup. You can find your nodes at 'Manage > Nodes'. I was testing with an ASA and my LEM node is setup on an interface say 10.1.2.3 but when I access my firewall, for configurations, I access it via 10.1.1.1, for example. The Detection IP in this case would be 10.1.2.3 instead of 10.1.1.1 since LEM is not monitoring 10.1.1.1. Although, you will more than likely refer to the firewall as 10.1.1.1, since syslog is setup on the 10.1.2.3 interface of the 10.1.1.1 firewall, you will get logs detected by 10.1.2.3. This just something to note, which I was confused by at first.
Here's a link to a good Solarwinds produced video on setting up email alerts (rules): Creating Rules in Your SolarWinds Log & Event Manager Console - Videos | SolarWinds
Hopefully this helps or at least gets you going on the right track! Thanks,