Not sure where the sulog is or if there is one on ESX but I normally use the /var/log/secure which shows all authentication attempts etc including su upto root. Use with a combination of 'last' can be quite useful. If all you need is to see who is trying to log in then the secure log should do it.

Try:

cat /var/log/secure | grep root

Hope this helps,

Dan