Two ways - search or reports. (You might also update the email template to send more details about that event, or choose a different email template that shows more detail, that way when the email gets sent it's automatic.)
If you open up nDepth (Explore > nDepth) you can search for that event, either by type or some information like the account name. The account name might be useful because then you could see the logon failure events that come before it, too. What you're really looking for in the Disable event itself is the reason, then in the logon failures the FailureReason and LogonType fields (e.g. if FailureReason is bad password and LogonType is service, you know you have an account tied to a service whose password is wrong).
Thanks Nicole. I guess I need to learn how to use/modify the rules more and the templates. You have pointed me in the right direction.