Seemingly related to
SERVER-11192, the __system user is audited as the initiator of DDL operations like createDatabase, dropDatabase, createCollection, dropCollection, createIndex, and dropIndex when those commands are run from a mongos in a sharded environment.
CRUD operations are correctly attributed.
A partial workaround is to use auditAuthorizationSuccess and an auditFilter focusing on DDL operations, on mongos nodes, to obtain authCheck audits from the mongos. But this is not applicable in all cases (ex: implicit collection creation)