Tracking down anonymous user

[mikef () everfast com]

I’m trying to track down an internal user who is sending email under a different user account to hide his/her identity. 
Scenario:
I have a domain user account that about 15 people know the password to. Someone logged on using this account and sent a 
message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not someone 
spoofing. As a matter of fact it’s definitely someone in the IT department.
Is there a way to track down what computer (IP address) was used to send the messages? 
The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange server 
2003.

I’ve check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there was no 
header info), but I’m not getting anywhere. If I can’t get them this time what can I do to catch them the next time.