On SQL 2005 Trace should work just fine. Most third-party tools will likely leverage Trace anyway. You can filter on SessionLoginName to capture all SQL text issued to the instance by any member of the sysadmin Role, but that needs to be defined when the Trace is started. Of course there are ways to circumvent that Trace, namely creating a new login, adding it to the sysadmin Role, then logging in as that login to carry out an attack. The creation of the login will be logged though, however server/service reboots could afford someone a chance to get in unnoticed if they can prevent the Trace from starting. The bottom line is that a skilled person that can enter using a login in the sysadmin Role will know how to circumvent all of this type of auditing but it will catch the lesser skilled ones and make the more skilled ones time a little harder if they want to avoid detection.