If there is no record of the successful login from the intruder, it is difficult to track.
But unless sa had a blank password or something else guess at first attempt, I would expect there to be tons of failed login attempts, if it is was a brute-force attack.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]