How do I tell what changes did the group policy made?

I have a situation where someone within a client's SecOps team made a GPO change but is not fessing up to it because it caused a pretty big outage.

From the Windows Event Logs on the affected server, I can see logs saying before and after the incident:

The Group Policy settings for the computer were processed successfully. New settings from 4 Group Policy objects were detected and applied.

Assuming the person made the change, then after we reported the outage undid those changes, is there a way for us to determine precisely what changes were made by the GPO policy being applied?

There are a few parties involved in the incident, including two third-party MSPs. Everyone (including the customer's new Sec Analyst) is trying to take advantage of the situation, throw their hands up, and say "There were no changes". We're the ones left on the hook because it impacted a service running on the server that we manage for the customer. As such, if you have any ideas on how we can determine what was changed, that would be much appreciated.

It depend, if lucky the bad settings got caught inside a shadow copy snapshot.

As on the DC you could see the change inside the SYSVOL's volume policies's folder. On the GPO itself it will list the last time it was changed, but more importantly if you have shadowcopy you might be able to see the before / after.

gpt.ini list the version, and in the folder you can check the policy's file with a text editor. Some settings are hard to read, but it will give an idea.