The first time somebody gets locked out, the're going to tell you they only failed to login twice.
I'd approach this as two problems. The first problem is auditing failures. I would audit every failure using Oracle built in auditing features. A record will get thrown to sys.aud$ when a failure occurs.
Second, I would lock their account after the third failed attempt.