I get this question quite often and in big SCCM environments it can be a lot of things that restarts a system but this is how I troubleshoot:
1. First I check the "RebootCoordinator.log" and try to find if it's a package or user that initiated the restart.
2. If it was a package and the reboot was in a bad time check it MW is set in any of the collections where the system is shown.
3. Next option is that a user has done the restart and this is a little more tricky but impossible or hard, no! :)
Check the "smscliui.log" and look for the SID for the user who accepted a reboot after Software Updates for example.
Download the PsGetSid tool from here (link to Microsoft).
Run the command with the sid as parameter and you wil get the username who restarted the system in cleartext.