I think the big thing here is that domain level events and local machine events get logged by each domain controller. If all you care about is account lockouts or login failures, you may only need to monitor a selection of Domain Controllers (although your rules may or may not fire if your replication takes longer than the response window on the rule allows). However, if you want to see local accounts logging into the DCs (Why did that local user login and remove DNS and NTP from the server?) and want to see things that are system related, like disks getting full or BSODs or shutdowns or processes stopping, you're going to need the Agent on every DC so you capture those events. Your DCs don't share all their events, and if DC2 gets a disk full and stops working, it's not going to pass that to DC1 where the Agent is.
In my environment, we have 5 Domain Controllers across 3 different domains. We added all domain controllers to LEM. This covers everything and if you plan on tracking logon/logoff, change management in AD then you will need to add them all.