JAMF Support found the following command, which seems to work, however shows the username as "<Private>":
“log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d”
They said using sudo would unmask the <private> tags and show the usernames, but that did not work for me on my BigSur 11.6 test Mac.
However, I found a .mobileconfig file that uncloaked the usernames from the point of adding it forward. It had no effect on past entries.: