When I update an application’s list of allowed web origins I see the following log:
...
"type": "sapi",
"description": "Update a client",
...
"body": {
"name": "App Name",
"web_origins": [
"https://example.com"
],
...
"user_id": "{ADMIN_USER_ID}"
This info should help you determine when this action was taken, what happened, and by whom the action was taken.