A combination of the IIS logs on the OWA server and the Security Event Log on the Domain Controller(s) where the logons are validated will give you all the detail you're looking for. You can probably get everything you want from just the IIS log, ultimately, but artifacts of the attempted logon will be present in both.
Of course, this is assuming that your Domain Controllers have a sane security policy that audits successful and failed logon events and that you've got IIS logging running on the OWA server. Obviously, if you're not logging things then there's nowhere to look.
A combination of the IIS logs on the OWA server and the Security Event Log on the Domain Controller(s) where the logons are validated will give you all the detail you're looking for. You can probably get everything you want from just the IIS log, ultimately, but artifacts of the attempted logon will be present in both.
Of course, this is assuming that your Domain Controllers have a sane security policy that audits successful and failed logon events and that you've got IIS logging running on the OWA server. Obviously, if you're not logging things then there's nowhere to look.