2I find filtering on eventID 4624 to be the best way to extract this information from the Security log. – Frank Thomas – 2015-10-21T15:57:35.890

As a side note to my answer, when filtering by event ID the times are no longer in chronological order by time. You could either choose to Filter Current Log... and specify what you want, or you could organize it by Date and Time then look for the correct ID. Assuming you have a general time frame of when this happened, sorting by Date and Time may be the best option. – DrZoo – 2015-10-21T16:01:48.843

1Thanks for the reply, but can I tell from which IP address he has logged? Because actually me and my team members all have the administrator account. So when I look at "Account Name", it just gives me "Administrator" which doesn't help. – KhaledMaged – 2015-10-21T16:07:42.717

@KhaledMaged as long as you guys all have a different computer, you can tell which computer it is by checking the computer name in the log. The computer name is the field that says Computer. I updated the image and circled the computer name field in blue. – DrZoo – 2015-10-21T16:12:12.613

1@DrZoo But this field gives me the name of the remote computer in all cases. Even in the cases where I logged. Only the name of the remote computer itself. I know this may be weird, but that's what I have in front of me. – KhaledMaged – 2015-10-21T16:24:39.557

@KhaledMaged Another thing you could try is again going to Event Viewer and look under Application and Services logs. Then look under the RemoteApp and Desktop Connections folder and try the TerminalServices-LocalConnectionManager, TerminalServices-RemoteConnectionManager folders. Hopefully one of those have valuable information that you could use. – DrZoo – 2015-10-21T20:15:24.243