If that was my requirement, I'd setup a simple systemd service that watches for the power event via journalctl -- or for more privilege separation, I'd setup rsyslog to filter those messages to a file ... but either way, the service would run a grep -q command watching for events and when that exits, generate an audit event.

The fun part would be getting the unit file dependencies right so that it does its work before it or anything it needs shuts down.