This is a feature of the membership provider. You need to set the requiresQuestionAndAnswer parameter to "true" in the web.config to turn it on. One warning though - it expects this to be configured from the start, so if you have existing users in
the database you may run into problems logging in or resetting their passwords.
As for auditing, that is not built in. As the FBA Pack works against a membership provider - it would have to be the membership provider that supported the auditing. Since none of the standard membership provider functions provide a "changed
by" parameter, you'd have to write a custom membership provider to do this, and extend the FBA Pack code specifically for that custom provider. Note that the sql membership provider does store when many events happened (account created, last login date,
last password attempt failure....), but it does not store who made the changes (Probably assuming that a request to create an account is from the user itself, and any changes to the account are from the same authenticated user).