I still don't know the criteria for recovering an account whose owner has lost access to the OTP code, but I believe it's the same old method of using the registered email address and signed message. Now that's where the seller could play the buyer.
Sell the account to the buyer with the email and password, and then later claim then they don't have access to the OTP and have the recoveries team help them get back the account.

Email address changes are also not displayed in the seclog where the data about changes is scraped from. I don't know why, but if the Admin has all along been reluctant to display email address changes, then I doubt he will display the OTP code change info even on request.