It depends on what type of audit software is in place. You have the same options for auditing deleted OS files when the delete is initiated by PowerShell as you do when it is initiated by xp_cmdshell, except in the PowerShell scenario the logged event would show the actual user that initiated the delete and the xp_cmdshell event would appear to have been done by the SQL Server service account. If you try auditing the database activity in conjunction then I can show you a quick hack using a global temp table where the contents of the command sent into xp_cmdshell are hidden from the Trace.