Basically, once it's over it's hard to track. You might be able to look up domains generating large amounts of outgoing email in your log summaries and guess from that. It really depends on how they were generating the spam - if they were doing it out port 25 you're hosed - there's not much you can do to track it to an account.
Ya it might be late if they are already using your server scripts, but you can still enable phpsuexec and mod security on your server to prevent further damage.
Better late then never
RootSupport.Com - Solutions That Fit On The First Try
::::: AIM: linuxengineers ::::: MSN: [email protected] :::::
*Seven days FREE trial available on selected plans 24x7x365 days - Windows & Linux Servers