hostd would be the log file to look at, I don't believe it will tell what user did it though. You migh thave to also check the authentication logs.
• You can check several log files on the ESX server based on the problem you are experiencing, these include:
o Vmkernel - /var/log/vmkernel – records activities related to the virtual machines and ESX server
o Vmkernel Warnings - /var/log/vmkwarning – records activities with the virtual machines
o Vmkernel Summary - /var/log/vmksummary - Used to determine uptime and availability statistics for ESX Server; human-readable summary found in /var/log/vmksummary.txt
o ESX Server host agent log - /var/log/vmware/hostd.log - Contains information on the agent that manages and configures the ESX Server host and its virtual machines (Search the file date/time stamps to find the log file it is currently outputting to.)
o Service Console - /var/log/messages - Contain all general log messages used to troubleshoot virtual machines or ESX Server
o Web Access - /var/log/vmware/webAccess - Records information on Web-based access to ESX Server
o Authentication log - /var/log/secure - Contains records of connections that require authentication, such as VMware daemons and actions initiated by the xinetd daemon.
o VirtualCenter agent - /var/log/vmware/vpx - Contains information on the agent that communicates with VirtualCenter
o Virtual Machines - The same directory as the affected virtual machine’s configuration files; named vmware.log - Contain information when a virtual machine crashes or ends abnormally
