The following Windows command will extract events from the Security log on the machine somehost provided those events have the ID 4624 (login) and are for the user someuser:
The query syntax is described as being XPath that operates upon the XML representation of the events. Beware that it is a actually weird subset of XPath that does not recognize
wevtutil ^ query-events ^ /r:somehost ^ Security ^ /q:"Event[System[EventID=4624] and EventData[Data[@Name='TargetUserName']='someuser']]"
//. Also, the generated XML results are free-standing fragments for each event (i.e. not wrapped by a parent element and thus not well-formed XML).