Tracking IMIS Users page access

We recently have had some issues with a user that accessed areas of our website that we did not want them to have access to and make changes. 

From what I can tell is when a REST or SOAP call is used with ASI.Scheduler it says the change was done by the MANAGER so hoping to figure out a way to track the Users access to regular web pages and find any unusaly activity.  We had them secured with IP security which did not help so trying to at least track the users browsing activity might point us to the compromised accounts.