Hi,
You can understand it from the authentication log file and from the date and time of creation of the VM (date of the vmdk file), analyzing these two data, you can understand who is logged in.
Suppose, however, that if you used administrator@vsphere.local (vCenter) or root (Esxi) user authentication ... it could have been anyone who used that account.
To work around this problem, you need to create accounts per person or use your personal Active Directory account (with the necessary configurations). In this case from the log files, you can see exactly who did and what.
If it can be useful:
https://www.virtuallyghetto.com/2017/06/auditinglogging-vcenter-server-authentication-authorization-activities.html
--------------
ESXi Log File Locations
Authentication | /var/log/auth.log | Contains all events related to authentication for the local system. |
VMkernel | /var/log/vmkernel.log | Records activities related to virtual machines and ESXi. |
VMkernel warnings | /var/log/vmkwarning.log | Records activities related to virtual machines. |
ARomeo