auditing daemon activity (restart, stop, start)

Hi, I am wondering is there is a way to monitor with auditd deamon activity like a start and stop. I see in the logs of auditd that some activities with crond and/or pam are logged like : msg='PAM session close: user=root exe="/usr/sbin/crond" ... msg='PAM accounting: user=nagios exe="/usr/sbin/sshd" and I am wondering if I can catch a user that trying to stop or start a daemon like syslog-ng. Also, why if that I have no rules defined, auditd logs those things anyway? Thanks