Not sure where the sulog is or if there is one on ESX but I normally use the /var/log/secure which shows all authentication attempts etc including su upto root. Use with a combination of 'last' can be quite useful. If all you need is to see who is trying to log in then the secure log should do it.
Try:
cat /var/log/secure | grep root
Hope this helps,
Dan