You can easily use CloudWatch Events and SNS to automatically send notifications when a CloudTrail is disabled.
Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account
Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.
Amazon SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients.
Amazon S3 offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.
1. Configure S3 bucket
Create a new (or use an existing) S3 bucket to store CloudTrail logs.
After the bucket has been created, configure a bucket lifecycle expiration policy to delete the CloudTrail log files after an appropriate amount of time.
2. Create a CloudTrail
Create a new CloudTrail and indicate that it should include all regions and include all management events. This CloudTrail will be monitored using CloudWatch Events. If this CloudTrail is disabled, an event will be triggered.
Specify the S3 bucket to use for the logs. All logs generated by the CloudTrail will be placed in this bucket (not real-time).
3. Create an SNS Topic and Subscription
Create a new SNS topic. This topic will be the target for a CloudWatch Event. Subscribers to this topic will recive notifications when the CloudWatch Event is triggered.
Create an email subscription to the new Topic. Confirm the email subscription when received.
4. Create a CloudWatch Event Rule
Create a new CloudWatch Event rule. Specify the CloudTrail as the source, and StopLogging as the API event. Note that this event will be triggered for ANY CloudTrail StopLogging event, nut just this one.
Specify the SNS Topic created in step 3 as the target for the event and generate a custome message.
Disable the CloudTrail and verify an email notification is received.