This content has been marked as final. Show 3 replies
Was auditing of CREATE USER enabled before the user was created? If so, does the audit trail data still exist from whenever the user was created?
Another way you could find out is to check if any object-level privileges have been granted to the user because the table dba_tab_privs does record the grantor. If you are fortunate enough to find such grants, it is very likely the same person who created the user. Unfortunately dba_role_privs and dba_sys_privs do not have such a column.
Or you could try to Log Miner if your database has archivelog enabled.
normally DBA account (SYS/SYSTEM) have permission to create it.
if its created from sys account and auditing for sys is enabled then you can get helpful information from adump location