Similar to "Last Login Date" suggestion, add the age of the password for SCRAM users. I see that https://jira.mongodb.org/browse/SERVER-3197 was closed as "Won't Fix", but this will at least allow reporting, audit, external maintenance, etc.