This can be acquired from cPanel access_log.
less /usr/local/cpanel/logs/access_log | grep "email-account" | grep password
This will O/P the result in the format,
<IP> - int3rpa9 [03/07/2014:19:23:25 -0000] "GET /cpsess7193950799/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=passwdpop&email=<"email acct>"&domain=domain.com&password=__HIDDEN__&cache_fix=1394220206862 HTTP/1.1" 200 0 "https://server name:2083/cpsess7193950799/frontend/x3/mail/pops.html" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36" "-"
From here, you can get the IP from which password is changed.
Also, you can get the blocked IP due to incorrect password from the command,
=-=-
less /var/log/maillog | grep <email-acct> | grep blocked
=-=-
Done
less /usr/local/cpanel/logs/access_log | grep "email-account" | grep password
This will O/P the result in the format,
<IP> - int3rpa9 [03/07/2014:19:23:25 -0000] "GET /cpsess7193950799/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=passwdpop&email=<"email acct>"&domain=domain.com&password=__HIDDEN__&cache_fix=1394220206862 HTTP/1.1" 200 0 "https://server name:2083/cpsess7193950799/frontend/x3/mail/pops.html" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36" "-"
From here, you can get the IP from which password is changed.
Also, you can get the blocked IP due to incorrect password from the command,
=-=-
less /var/log/maillog | grep <email-acct> | grep blocked
=-=-
Done