Hi - If I understand your question you are trying to find out if you can identify who is using the 'sa' account and from where.
There is a solution out there but I can't post this on this thread since it could be considered advertising. Please contact me (email@example.com) and I can provide you with the company name/product that achieves what you are looking for.
The solution will allow you to:
> Block the use of 'sa' from any machine outside of the database server itself and the GP box
> Log all attempts to use the 'sa' account from anywhere along with the IP address
> Use 2-factor authentication (extreme case) if you want to know who is actually using 'sa' and from which IP/MAC address
> Ensure that 'sa' is only usable by GP and not Query Analyzer
MCDBA, MCSE, MCSD
SQL Server Database Proxy/Firewall and Auditing