Logging password changes

Is there a way to log changes to user passwords?

If I change my password I want it to be logged somewhere.
It doesn't go in /var/log/messages...it doesn't go in /var/log/secure,
the only place it goes is /etc/shadow and I can see the last time
a user changed his/her password by typing "chage -l userid"
which gives the date of the last password change.

That isn't quite good enough I don't think for the Gov't C2 Audit req'ments
so I was wondering if anyone knew how to setup pam or something to
log when a user changes his/her password into say /var/log/messages
or something?

I know pam can be configured with a database that stores old encrypted passwords and won't let you change back to one in the list. I could setup the ability to do that, then only allow one password change per day. Running a chage -l UID command in a cron job to see which ID's changed.
Gov't C2 auditing requires that the system log (somewhere) any password changes. One of the auditing questions is..."Log in as a user. Change to an acceptable password. Was the change logged?" Maybe pam can provide more info into the syslog somehow? It does say when users logon logoff, why couldn't a change to passwords be logged?