If there is no record of the successful login from the intruder, it is difficult to track.

But unless sa had a blank password or something else guess at first attempt, I would expect there to be tons of failed login attempts, if it is was a brute-force attack.