No, you don't need a captcha because the user has authenticated. You can still have a DoS in that a bad guy locks out all of your user accounts though. And for that matter hammers you with traffic as the bad guy submits millions of requests to your site to try to do the lockouts. Which means
you should load
test. And if you are a website on which a DoS is likely, you should add another mechanism to avoid the lockouts. For example on this site, we use increasing delays between attempts after the first few to prevent the denial of service from happening in the first place.
I would use an email rather than a SMS message though. If someone gets ahold of your username/email combinations, they can SMS spam your users. Which is more intrusive than email spam.