Detects creation of new user accounts in Databricks by monitoring the Databricks Audit logs for a createUser action. A new account could be part of legitimate onboarding or may indicate an attacker attempting to establish persistence. The rule looks for logs where the serviceName is accounts and the actionName is createUser, optionally correlating the actor (userIdentity.email) with the targetUserName (new user). It references the Databricks Audit data source and is mapped to MITRE ATT&CK TA0003:T1136 (Create Account). The included runbook suggests validating onboarding, checking for immediate privilege elevation, and reviewing the account creator.