Well, mostly the good ol' tried-and-tested method of "asking around". My specialty is to "not stop asking until I get a satisfying answer".
Usually, we trace it down to some application that someone in a senior management panel decided they would have - and when the technicians got to work, it turns out that the design of said application is wanting: it can't run without centralized anonymous logins (without supervision!) are added to all the clients' instances... Then it is merely a matter of writing up the case and hand it over to (other) managers to take action on - or not. Then add the intel to our documentation for future reference.
Every now and then, nobody can come up with an acceptable excuse for adding it. In which case, I merely delete it again. My way of thinking is: Stupid developers and admins may be hurt. Their problem. They should know better. Innocent users of an application get hurt. My problem. Their managers should know better - but that's for managers to handle. I can't go around reverting decisions made on the top floors. But everything we have needs to be understood and properly labelled; responsibility assigned.
So to recap: I'm not handling 100+ of databases and instances, but the approach is the same:
- Extract a list of "who has the credentials to perform the action"
- Ask them - with a deadline of 1 working day - if they did it or know anything about it
- Delete it, if no 'reason to keep' reveals itself
- Write a memo to my management, if a reason is revealed, and keep the login if I agree that it may exist.
And of course: Suspicious activity is blocked right away! I am talking about acceptable activity which just isn't understood by anyone but the one who created the login. We can't have that - but it is more like an everyday cleaning activity than a specific security breach handling. That, of course, begs the question What is suspicious?, but that comes from context, experience and talking with peers. I train juniors to ask more questions rather than fewer.
My approach would change, if we were 'attacked' daily, because then it wouldn't be manageable this way.