Yes, sa could create an executable file on the server. For instance by first inserting the binary string into a table, and the exporting it to file with BCP through xp_cmdshell.

Finding out exactly what happened on that server before and after the trace stopped will be difficult. But it seems that you at least have the point it time it happened through the trace. I would advice that you restore the databasees to a point in time before the intrusion on a different server or similar, and use a tool like Red Gate's SQL Data Compare to see if you can find traces of manipulated data. If you have sensitive data on the server like passwords, credit card numbers etc you have all reason to be worried.

And most of all, you need to figure out how the intruder came in. Are their applications logging into sa? Are there web applications which have holes for SQL injection?