Requisite: Exchange Mailbox Audit SHOULD BE enabled
|Search-MailboxAuditLog -Identity “firstname.lastname@example.org” -LogonTypes Owner,Admin,Delegate -ShowDetails -StartDate 10/21/2019 -EndDate 10/23/2019 | Export-CSV C:\AuditResult.csv|
From the result, you could use subject to find the specific column, then you could check InternalLogonType. it could show the owner, delegate or admin deleted this email. LogonUserDisplayName shows the user name who deleted this email. Operation describes the action performed.
Should you have one, click here