We have a web server with lots of virtual hosts on it. One day the mail queue exploded to over 100k messages. Obviously someone had used our server to send lots of spam. Tracking down what script was responsible was not an easy task. Lucking, starting in PHP 5.3 you can put the following in your php.ini to track some of that information.
mail.add_x_header = On mail.log = /var/log/php-mail.log
The first makes php add an X-PHP-Originating-Script header to each email that contains the UID of the script owner and the filename of the script. This alone is probably sufficient to track down any abuse, assuming you can catch one of the outgoing emails to check. The second creates a log file that tracks every time someone send email with the path to the script, the line the mail() was called from, and the To: field.
With this information it was easy to track down the offending script.