Starting with Windows Vista and Windows 2008, if you want to see who and when changes Windows Firewall with Advanced Security rules and other settings you must enable either the “Policy Changes” auditing category or rather the “Filtering Platform Policy Change” and “Other Policy Change Events” auditing subcategories. Afte you have enabled this auditing, system will log success and failure audits into the Security event log whenever any firewall setting changes.

you can enable the auditing with Group Policy, Local Security Policy or from command line:

auditpol /set /subcategory:”Filtering Platform Policy Change” /success:enable /failure:enable
auditpol /set /subcategory:”Other Policy Change Events” /success:enable /failure:enable