hmmmm-So is there documentation or any more detail on how to do this? And also if I understand correctly you are saying there is no ability to alert on a configuration change?

I am making the assumption that "user ports" is referring to switch port configuration, or the ports on the network access device.  TACACS configuration on switch should be covered in the switch docs.  For example, to configure TACACS+ on a Catalyst 3850, you can quickly get links from Cisco.com search, or Google, example: LMGTFY

For ISE configuration of T+, this is covered in ISE documentation.  Example: Cisco Identity Services Engine Administrator Guide, Release 2.3 - Control Device Administration Using TACACS+ [Cisco I…

ISE does log and provide reports based on TACACS+ or RADIUS events for device admin access, but ISE does not alarm on these events.  This is more of the realm of the network device management system.   It is possible to generate SNMP traps from switches when config is changed:

https://www.petri.com/notified-cisco-router-configuration-change

Config Management SNMP Trap - Cisco Support Community

Your SNMP Management system can then generate the desired alert.

Craig

ISE does not manage configurations of network devices. Please look for others, such as Cisco Prime Infrastructure -- Comparing Current and Previous Device Configurations