The syntax for CREATE SERVER AUDIT is:

[sql]

CREATE SERVER AUDIT audit_name

{

TO { [ FILE (<file_options> [ , ...n ] ) ] | APPLICATION_LOG | SECURITY_LOG }

[ WITH ( <audit_options> [ , ...n ] ) ]

[ WHERE <predicate_expression> ]

}

[/sql]

Where <predicate_expression> is

<predicate_factor>::=

event_field_name { = | < > | ! = | > | > = | < | < = } { number | ' string ' }

[/sql]

And for event_field_name, Books Online says:

Is the name of the event field that identifies the predicate source. Audit fields are described in sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and audit_file_offset.

That is, you should be able to filter out sa with

sessoion_server_principal_name <> 'sa2'

I'm not sure what you see when you see VIEW SERVER STATE, but the same may be possible in this cas.