Originally Posted by TenTenths
If the user is any good he'll have covered his tracks by editing anything in /var/log/* that would be relevant.
/var/log/secure and look for sudo sessions starting around the time of the event would be about all you'll get. Given how vulnerable your system is I'd think you're unlikely to ever find out.
This why using a remote log server is important. Nobody except security investigations should login on the log server.
And I would have said "...how vulnerable your systems are...". Anytime you have more than 4 people with uncontrolled root access, you have a severe problem.