SQL Server: How do you check if it's safe to change the SA password?
See this article/tutorial which explains how to enable login auditing in SQL Server 2000 and 2005:
Who is logging in as the sa login in SQL Server?
The native audit level configuration is a simple configuration that can help to determine if the sa login is used in the SQL Server instance. What this configuration does is records all of the successful (or failed or both) logins into a particular SQL Server instance. You will not know the host name, application, etc. However, this configuration will enable you to determine if the sa login is being used in the first place. Once you have this information, then you can dig deeper with SQL Server Profiler outlined below.
For SQL Server 2008 there is a new feature "SQL Server Audit". The following article explains how to autid logins including example scripts: SQL Server Audit in SQL Server 2008.