I don't think that's possible as SSO and WF don't exchange user information on a regular basis. Simplified, a user entering WF is redirected to SSO, is identified and returns to Workfront with his credentials attached and then Workfront checks if those credentials match a profile. Consequently, there is no exchange if a user doesn't enter Workfront.
You could consider three options:
a) Create a report of users who haven't been on WF for a long time (and then manually check in your system why)
b) Play around with the "update users for SSO" functionality in the setup (I unfortunately have no experience with it)
c) Use Fusion or the WF API to connect to your company's employee register and trigger the deactivation of the WF user if he/she cannot be found.
By the way, based on our data privacy evaluation, the access to WF is only blocked for a former user if you check the "SSO only" option - otherwise the users could still get into WF with a password.