At times Real Time Alerts may contain System in the Who Changed however the daily Change Summary emails or SQL Reports show the correct user.
By default the product does a full data collection every 24 hours (3AM by Default). However every 10 minutes it does a fast data collection where it simply gathers changes and security event logs and fires off real time alerts.
When changes are received it isn't known who made those changes or when those changes were made. After receiving the changes we immediately look in the security event logs for the corresponding event and this is where we get the Who Changed and When changed information. Depending on the timing of the change and the collection process, sometimes this event hasn't been written to the security event log (perhaps there is a delayed queue of events being written at that time on that particular DC for example). So in order to ensure there is no delay in receiving the alert the real time alert is sent out with as much gathered information as was possible at that time.
During the next fast data collection the product will then attempt to find the security event for the previous missed changes as well as the new ones and so on. If the Summary report the next day (or next Full data collection) contains the correct Who Changed then this means that the security event was eventually written and collected. Because the real time alert was sent out in the past it is therefore not reflected in the alert but is reflected in the change for daily review (default) or via SQL Reporting.