Google can penalize you for pretty much anything at the drop of a hat, even for off-site actions. Here’s a past thread on the topic of negative SEO, about a WordPress-related business that was attacked.
If somebody decides to point a bunch of spammy links in your direction, Google may assume it’s at your direction, even if it isn’t. It can be a lot of work to identify and disavow the bad links and get back in their good graces. Google will only share a sampling of what they consider to be spammy links.
It’s not unheard of for webmasters to go overboard and disavow links that are actually good, which then hurts them even more.
I know it sounds pretty crazy, but when thinking about why Google applies mysterious penalties and doesn’t disclose all the information they have about you, keep in mind Matt Cutts’s quote about spammers: “We want to break their spirits.”
If a spammer knew exactly what triggered a penalty, they could use that information to sneak around future penalties on sites they care more about.
Anyway, my suggestions would be:
Register your main site in Google Webmaster Console. This will (maybe) notify you after a penalty has been applied.
Have a TOS (conspicuously placed, linked to from every page) that has strict rules against spam that every user has to agree to before creating a site. Check out Automattic’s open-sourced legal documents and adapt for your needs.
Back up that TOS by swiftly banning any spammer on your network.
Use a solution like WangGuard to prevent known spammers from signing up in the first place.
I don’t think Webmaster Tools was designed with “multisite” in mind, and I’m not sure if it will automatically track sub-sites if they’re on subdomains. It would be a pain to add each separate network site if that were the case.
It also won’t give you a forewarning if you’re about to be penalized. This is where a third-party tool might come in handy, but I don’t know of any that are multisite-friendly.
Maybe somebody with experience in Moz, SEMRush, or others can chime in.