Oracle Account Locked by multiple failed login

ISSUE:
An account was locked because of multiple failed logins. Need find out where those failed logins came from.

SOLUTION:
if audit is turned on for failed login sessions, login information can be extracted from audit trails.

EXAMPLE:
Audit it turned on for sessions and saved to xml file outside of database.

Go to audit directory $ORACLE_BASE/admin/SID/adump
ls -ltr | tail -10 | awk '{print $9}' | xargs grep -i SCHEMA_NAME | grep "<Returncode>1017</Returncode>"

ATTN: return code 1017 -- invalide usename/password
            return code 28000 -- account is locked
            return code 0 -- login successfuly
            action 100/101 -- login