You can approach it with something like this

(index=1 sourcetype="abc" "s1 event received" and "s2 event received" and "s3 event received") OR 
(index=2 sourcetype="xyz" "created") 
| rex "(?<e_type>s.) event received for (?<customer>\d+)" 
| rex "(?<created>created) for (?<customer>\d+)" 
| stats max(eval(if(e_type="s3",_time, null()))) as last_e_type max(eval(if(created="created", _time, null()))) as created_time dc(e_type) as e_types values(created) as created by customer
| addinfo
| where e_types=3 AND (created_time-last_e_type > 300 OR (isnull(created_time) AND info_max_time - last_e_type > 300)

so you search for both data sets and extract the customer using rex from the event types. It also extracts the event type (s1/s2/s3) into e_type. It then calculates the number of e_types and the relevant times, i.e. last_e_type is the time of the s3 event and created_time is the time of the created event.

Then the final where clause will require all 3 sX events to have been received and if the created time is more than 5min after the s3 or if there is no created event seen it will drop through.

Note that your time window for your search should allow for s1/s2/s3 AND created to be in the same dataset because if you run the search and it only sees s1 and nothing else and in the next search it sees s2 and s3 and no created, it will not alert.

So maybe the search should be set to run every 5 minutes and to look at a 10 minute window, e.g. from -10m@m  to -5m@m