We have a blog article that describes how to go about setting this up in detail, as part of our blog series on protecting against Ransomware: https://www.eventsentry.com/blog/2016/03/defeating-ransomware-with-eventsentry-auditing.html. It's a bit verbose but explains exactly what you are looking for. We also have a KB article that explains the same exact thing and is a little less verbose.
In a nutshell you will need to do the following:
- Ensure object access auditing is enabled via GPO or in the local security policy
- Enable auditing for write access on the folder in question
- Setup a threshold filter for 4663 with the insertion string representing the username
Let us know if you have any questions.