ok, you can get whodunnit info fromt eh default trace, i just tested this:
so if not too much time has passed, you can find out who;
declare @path varchar(255)
SELECT @path = path from sys.traces WHERE id = 1--the Default Trace
SELECT
TE.name As EventClassDescrip,
v.subclass_name As EventSubClassDescrip,
T.*
FROM ::fn_trace_gettable(@path, default) T
INNER JOIN sys.trace_events TE ON T.EventClass = TE.trace_event_id
INNER JOIN sys.trace_subclass_values V
ON T.EventClass = V.trace_event_id AND T.EventSubClass = V.subclass_value
WHERE EventClass = 109 --Audit Add DB User Event
AND EventSubClass IN (3,4) --ADD USER, DROP USER implicitly does [Grant database access],[Revoke database access]
i tested it by simply going to a test database and adding and droping a couple of users.
CREATE USER [bob] WITHOUT LOGIN
CREATE USER [jeff] WITHOUT LOGIN
DROP USER [bob]
DROP USER [jeff]
then looking at the last entries in my default trace, i got the EventClass and SubClass to add filters for a WHERE statement.
Lowell