user activity should be logged in a few places:
1 - agent logs on the target system. this is aggregated by the "collect agent logs" script run during reports population and available under the 'server activity' report section
2 - object access - this is available in reports if you login as a member of the RBACAdmins role. there should be some "RBAC Reports" that shows access granted or denied to various objects in the GUI.
3 - Job Activity reports - this shows you what was run, by who against what servers.