or you can execute

AUDIT CREATE USER BY ACCESS WHENEVER SUCCESSFUL
AUDIT CREATE USER BY ACCESS WHENEVER NOT SUCCESSFUL

OR

AUDIT CREATE USER BY SESSION

Are you suspicious of administrators or normal users?
Which parameter(s) did you enable?...
1.AUDIT_SYS_OPERATIONS=TRUE
2.AUDIT_TRAIL=DB/OS
3.GOTO
http://download-west.oracle.com/docs...t.htm#ADMIN026
for more detail