Just a quick note. Terminal name can be spoofed. I think it comes over as part of SAP DIAG protocol. I played with protocol few years ago and I think you can simply replace host name when you have control over network.
I also vote for security audit log. That's the only reliable source of information.
Cheers