Hi Bipin,
How often is the account getting rotated? Is it within the scope of your policies for password rotation? How many failed logins are allowed on Active Directory before an account is locked out?
You might have to open a support ticket to track this down.
You can change the following log levels and monitor until you get another lockout. Then after the new lockout, collect the logs. bin and the catalina.out and change the levels back to avoid getting large log files.
Tomcat Log Level: Config
LDAP Sync Log Level: Verbose.
When you submit the logs, let the support person know the date and time of the account lockout.