Since there are so many possible servers a profile could be used to access, (DDM, SQL, FTP, SIGNON, etc) you really need the entire suite of exit programs that allow you to log all network access attempts. I use NetIQ but there are others out there, or if you have the time and patience, IBM redbooks give you sample exit pgms for most of the exits.
Since you don’t say how old your system is, it’s hard to give the best options.
Try displaying audit journal entries with type and code T/PW to an *outfile using *TYPE5 format. The IP address, as well as various additional attributes, should be included in the entry headers.
If you don’t have auditing turned on, then it’ll be tricky finding anything out.