I don't know where or if you want to store this activity as a record but one other way of doing things is to just use their Windows Login name (not their password). I doubt you have anyone there who could spoof that. If their login names are not suitable, you can get their credentials from their user table record. Again, they could not fake that. This assumes that you're not using a shared login (everyone just sits down and does stuff without having to sign in) and that no one shares a pc login; i.e. you cannot use my pc with me logged in for whatever it is you're doing. This could have the added benefit that it might expose any shared logins when a record has my initials on it but should not.
The more we hear silence, the more we begin to think about our value in this universe.
Paraphrase of Professor Brian Cox.