Unfortunately, you can’t find out the most recent ACL hits on a Pix515e. At least, not any method I have ever seen. What you can do is clear all of the ACL counters and wait a week or two and see which ACL’s get hit. This is done via the following command:
clear access-list <i>name</i> counters
When it comes to cleaning up firewall rules, I have always been of the impression that if there are too many, then just disable them all and wait for the calls/e-mails to come in. There should be some default rules(HTTP/HTTPS, SMTP) that you will be able to enable right off the bat. It is the other obscure ones referencing specific source/dest IP’s that are harder to figure out, which is why it is best to have the user call you. Remember that when something is no longer needed(ie a VPN site to site tunnel), you are not going to get a call to remove it from the firewall. It will just sit there for years and years. The only down side to disabling everything is that the end user might wait until 2AM to report the problem.