How to find out which device is the domain account getting locked out from?

Great tool from Microsoft to use is LockOutStatus [Account Lockout and Management Tools]
http://www.microsoft.com/en-us/download/details.aspx?id=18465
These tools are mainly for Windows XP and Server 2003, but LockOutStatus.exe works on Server 2008 R2 Active Directories too.

Here you can see the list of you AD servers and last time that particular account was locked out.
View the servers Security Event Viewer on the Active Directory computer where the account was last locked out and filter for Event ID: 644 [2003] or 4740 [2008]

The Caller Machine Name is will indicate where the incorrect credentials are originating from

2) Find out what process/application is using the incorrect credentials.

If the Caller Machine Name is coming from a known server such as Exchange, to check is if the user has additional devices such as iphone, ipad which perhaps do not have the latest users credentials.