Need to create an audit record in our application whenever a user changes their password

Ideally via hooks or rules our app would receive an event/callback that provides the password change details. Can this be done via hooks or rules? If yes, can you provide a link to the documentation or example that includes the available properties.

The option seems to be to continuously crawl the logs - argh.

This can be achieved using the Authentication API Webhooks extension. You can configure this to run on Success Change Password events only. You can setup a webhook on Webtask (or your own endpoint), which can handle the calls from Auth0 and do the additional logging.