I am not an Openshift master, however the first thing I though about was some Audit logs, that was already suggest you immediately in comments. Quick search showed this: Openshift Viewing audit logs:

Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system.

Audit works at the API server level, logging all requests coming to the server. Each audit log contains the following information:

Also may help:

• Configuring the audit log policy

case 1: if you are using managed K8S then you should be able to see those logs under cloud-watch( if not configured else where) just for reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html

case 2: if you are using the standalone K8S cluster by default its not there you have different option to configure. if you have configured then all system logs can be stored and audit. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html

Not a direct answer to your question, but in OpenShift, creating aProject"triggers the creation of a"Namespace". So you may chase after who created the"Project"

You can also configure OpenShift to restrict the creation of"Projects"as described in the doc: https://docs.openshift.com/container-platform/4.7/applications/projects/configuring-project-creation.html