When you audit commands that contain passwords such as CREATE LOGIN or CREATE CREDENTIAL, the password is not masked and will be shown as cleartext in the audit log.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This issue is fixed in the following cumulative update for SQL Server:
About cumulative updates for SQL Server:
Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server: