I was thinking of creating a script which would check number of users, their names, number of scripts, when were they created/modified (if possible).
Script would run every 30-60 seconds and if there's a change it would send an email notification.
If you are creating a honeypot to study malware, the above may make sense, but to sniff the Mikrotik's WAN traffic using an external sniffer and analyse it makes more sense.
If you want to detect any intrusion by just a script running on the Mikrotik itself, what will not make you happy is that the fact of the intrusion may not be noticeable in the configuration at all. The configuration is just a front-end to the linux running below, and some vulnerabilities in the past allowed the attackers to retrieve plaintext passwords from the device, so there was no need to create a new user.
Running own scripts, changing the DNS settings etc. are things which are easy to accomplish on machines which are not protected enough (many people keeping the default username admin with no password open for management access from WAN exist in the real world, so it is worth letting a herd of bots crawl the internet and try); more sophisticated attacks are possible too, and people exist who take this more complex way.