If, of course, you're in the unfortunate position of not having that log entry, your best bet is to go through and see if you can determine when, precisely, it was installed, and correlate that with the Security Event Logs to determine with had an interactive logon session at that time.
The Adobe installer logs might be more helpful in narrowing down the precise time of install too, as it's possible your logging level didn't even log a non-MS application installation in the Event Logs. Either way, it's probably a matter of finding the precise time, and going through the Security logs to determine who had an open type 2 or type 10 logon during that time.
It's really kind of a pain, and if you're the one who's going to be relegated to log diving, it might not be a horrible idea to do a quick cost/benefit breakdown of how much it's going to cost to ferret out this [not-entirely-conclusive] information, because it's not exactly a smoking gun. It'll give you a pretty strong case as to who did it, but unless you have a high enough logging level to see which user called the installer, it's not going to be considered definitive proof. (Or at least I've never seen it taken that way.)
Using Event Viewer, you can filter the Application log for Event ID 11707. Search by the particular date/time you think the program was installed and it will also list a user name. Very useful if you need to track who is installing what, when.
Alternatively, you can filter the Application log for Event ID 11724 if you need to see who uninstalled an application.
Depending on your logging level, you may be able to look through the event logs and see who called the installer.
In fact, I just installed Adobe Reader on a default 2008 R2 VM, and did find that it recorded the user who installed the program. Sort of.
Correlate that GUID to a user, and you're golden.
If, of course, you're in the unfortunate position of not having that log entry, your best bet is to go through and see if you can determine when, precisely, it was installed, and correlate that with the Security Event Logs to determine with had an interactive logon session at that time.
The Adobe installer logs might be more helpful in narrowing down the precise time of install too, as it's possible your logging level didn't even log a non-MS application installation in the Event Logs. Either way, it's probably a matter of finding the precise time, and going through the Security logs to determine who had an open type 2 or type 10 logon during that time.
It's really kind of a pain, and if you're the one who's going to be relegated to log diving, it might not be a horrible idea to do a quick cost/benefit breakdown of how much it's going to cost to ferret out this [not-entirely-conclusive] information, because it's not exactly a smoking gun. It'll give you a pretty strong case as to who did it, but unless you have a high enough logging level to see which user called the installer, it's not going to be considered definitive proof. (Or at least I've never seen it taken that way.)
Using Event Viewer, you can filter the
Application logfor Event ID11707. Search by the particular date/time you think the program was installed and it will also list a user name. Very useful if you need to track who is installing what, when.Alternatively, you can filter the
Application logfor Event ID11724if you need to see who uninstalled an application.Information found through this website.
Check in c:\users\\downloads and in the user temp directories for adobe related files.