The event only is triggered when you logon to the vCenter Client or Web Client with the root account.
When you logon locally (SSH for example), that will NOT be triggering an alarm, because the event I assume you are referring to, is only present on the ESXi node.
While alarms are defined on the vCenter.
$si = Get-View ServiceInstance
$alarmMgr = Get-View -Id $si.Content.AlarmManager
# AlarmSpec
$alarm = New-Object VMware.Vim.AlarmSpec
$alarm.Name = "ESXi Root Logon"
$alarm.Description = "Root account logon to an ESXi node"
$alarm.Enabled = $true
# Transition - green --> red
$trans = New-Object VMware.Vim.AlarmTriggeringActionTransitionSpec
$trans.StartState = "green"
$trans.FinalState = "red"
# Expression - Login
$expression = New-Object VMware.Vim.EventAlarmExpression
$expression.EventType = 'UserLoginSessionEvent'
$expression.objectType = "HostSystem"
$expression.status = "red"
# Root login
$comparison = New-Object VMware.Vim.EventAlarmExpressionComparison
$comparison.AttributeName = 'userName'
$comparison.Operator = 'equals'
$comparison.Value = 'root'
$expression.Comparisons += $comparison
$alarm.expression = New-Object VMware.Vim.OrAlarmExpression
$alarm.expression.expression += $expression
$alarm.setting = New-Object VMware.Vim.AlarmSetting
$alarm.setting.reportingFrequency = 0
$alarm.setting.toleranceRange = 0
$alarmMgr.CreateAlarm($si.Content.RootFolder,$alarm)