I think the way I would approach this is to install SQL triggers on the account_security table to track changes to privileges and feature rights, and a trigger on entry_acl, vol_acl, prop_acl and pset_acl to track changes to entry, volume, field and template ACLs. These triggers would insert a row into a logging table. Then, a separate process can poll this table and send an email. If you have the trigger call into a CLR stored procedure you can do some more complex things without the need for a separate polling process, but the trigger needs to run very quickly so I wouldn't recommend it. It's important that the triggers all start with SET NOCOUNT ON for this to work. Installing a trigger on the toc table would be required to track changes to folder filter expressions but that would be so intrusive that I wouldn't do it.

Please note that by installing triggers, you're getting into unsupported territory and this can definitely destabilize the Laserfiche server if it's not done very carefully. A less risky approach would be to frequently import the audit logs into the audit reporting database and scan that for relevant audit events.