There's several "su"'s out there, but yours looks like it reports both source and target user. If they start at 'root', and are dropping down to 'nobody', I'd say it was more like a script running that needed to drop root privs before running. I had an IRC server that had to be run as a normal user, yet the script to control it was root-only. I used to su down to nobody as a solution before I changed to my current setup.
Try grepping thru some system start scripts and see if you see it: fgrep 'su nobody' /etc/rc.d/rc.* (or where ever you keep your startup and rc scripts). At 5:30 a.m., that might be a cron job running.
You need to worry when you see user "nobody" trying for user "root".
PS: Is your hostname/domainname set correctly?