Could also check sys.database_permissions and join back to sys.database_principles on the grantor to see which login did it. But if its a group then you will need to check the trace as Jack has already mentioned if it hasn't rolled over already.