The previous comment is not entirely correct, at least not on a Windows 2003 Domain. Event 646 is not an indication that a computer joined a domain. In this case, an indication could rather be event 645: Computer account created. It is true that 646 is also logged in this case. In fact, it is logged twice, once for enabling the account and once for resetting the account, but it can be logged in the same way, without a computer joining the domain (for example if the administrator manually resets or enables/disables an account).
Therefore, when a computer joins a domain, the following events from the "Account Management" category are logged in the following order:
645: Computer account created.
628: User account password set.
646: Computer account changed, with information on field "Password Last Set" - indicating that the computer account was reset.
646: Computer account changed, with information on field "User Account Control": User account enabled - indicating that the computer account was enabled.
626: User account enabled (it is always logged with 646 when a computer account is enabled/disabled).
Other events logged are from "Directory Service Access" category: two 565 (object open) events and from "Object Access" category: two 562 (handle closed) events.
The 646 event is logged also when a computer account is reset. The "Changed Attributes" set of fields will only have information on the "Password last set" field.
The 646 event is also logged when a computer account is enabled/disabled. In this situations the event will be logged together with 626 event (user account enabled) / 629 (user account disabled). The "User Account Control" filed in event 646 will display information on the action performed:
User Account Control: Account Enabled
User Account Control: Account Disabled.
This event indicates that a computer has joined the domain. The user name used for this operation is indicated in the event.