The first line would be to define strong passwords for database user accounts, and grant only the necessary privileges to each user or role. If a user knows a valid (and privileged) account and its password, there is not much the RDBMS can do.
The username and password that users enter to log into the forms applications should not be the real database user. Users should not know database accounts.
If archived logs are available, you could use Log Miner to look for the changes in the logs.
To track this kind of changes in the future, you could define triggers to log changes, or you can enable Database Auditing, which was improved in 10g and does not have the performance impact that the audit implementation by triggers would have.
Have a look at the following document, which you could find useful.
Oracle Security – A Definition in Plain English.