You could easily submit a feature for this. Check out JBoss from CVS and look in the "varia" directory.
There is a way to get the user name from the Servlet object. Simply add the necessary appropriate log statements to the controller servlet. This would be a few hours worth of work. Then, feel free to send a patch. I would add a configuration key in the web.xml for turning on/off the logging.
Thanks for your reply. I was alluding to the new JMX 1.2 security features to be delivered with 3.2.4. Given that the user has been authenticated via JAAS to modify JMX attributes, will the mbean be able to determine who is making a change regardless of how that user is connected to the JMX server, html, rmi, etc?