I'm trying to avoid creating my own database of /etc/shadow entries across 46 different servers.

Probably no real way to avoid it. Here's how I solved that problem a number of years ago. Wish I could find the original script, I'd just post it, but here's the psuedocode for it:

if backup of shadow file does not exist:
  a) copy shadow file to backup name
  b) exit
else 
  a) read in shadow file into a hash 
         userid => encrypted password
  b) read in backup shadow file into a hash
         userid => encrypted password
  c) loop through shadow hash
      1) push userid into changed array if 
         password fields do not match
      2) push userid into new id array if 
         userid does not exist in backup hash
  d) copy present file into backup file
  e) email results
[download]

Since everything is kept "local" this can easily be replicated to all the machine you support somewhat painlessly and doesn't require a "database" in the true sense of the word.

If the backup copy of the shadow file doesn't exist, the assumption is that this is the first time the script has been run on a particular machine and no action other than creating the backup copy of the shadow file.

Take care that you preserve permissions such that you don't compromize the shadow file or its copy.