Did you try SA with a blank password or SA with sa password?
Are you sure that nobody actually knows the SA password for the server?
Did you run the profiler to make sure that it is SA who is logging to the database?
What is the application code? Is it a web application, VB application? MS ACCESS? Excel? I actually know how to get the password from the Excel front end in some cases.
Did you search the server folders for the file with the word "password" ? Some developers and sysadmins document their work and the installation description or maintenance document could be actually present on the server. Also, there could be a configuration file in the application directory that contains the connection string.
Did you actually try to locate the previous support person and call him or her?