With Confluence OnDemand, the only access logging is the apache access log, which is only going to show you the IP address of those who accessed your instance. It sounds like this user has legitimate access to at least part of your instance, so this probably won't be of any benefit.
If this would be of any help for you, just submit a support request and we will send the log over right away.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG