Should anyone find this post useful - The answer is 'yes' to capture a user logging in, or automatic creation of a user when a new user logs in, using windows auth (our authentication is based on the method described here: http://blog.tomstenius.com/2009/09/windows-authentication-in-episerver.html).  

The IntegrationHttpModule described in the above blog needs to be switched to a reflected and amended version (we amended the SynchronizeUser method to log both of these events).

Answer is 'no' to log permissions changing (or anything else changing relating to groups / users).

To capture content permissions changing: http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=86778&epslanguage=en

To capture permission changes made in the community admin area, we were only able to do this by changing the code behind of the security pages and/or controls (/EPiServerCommunity/Security).  So the code behind referenced in the page/control needs to be switched to a reflected and amended copy of the original (which are in the EPiServer.Community.Web.Administration dll).

Let's hope we never need to upgrade EPiServer on this site :-)

... To customise any part of standard EPiServer UI (assume it can be used on the community area too, but has not been necessary for us) this technique can be used: http://world.episerver.com/Blogs/David-Knipe/Dates/2010/5/Customising-the-EPiServer-UI/ (moved from EPiServer.config to EPiServerFramework.config in 7, 7.5)