This is not Extended Event related but it came from a question on Twitter about how to tell who and from what machine a server side trace was created, and there is no way to explain this in 140 characters so here’s a blog post. This information is tracked in the Default Trace and can be found by querying for EventClass 175 which is the Audit Server Alter Trace Event trace_event_id from sys.trace_events.
where name like '%trace%'
To query the default trace for this information we can do the following:
DECLARE @FileName VARCHAR(MAX)
SELECT @FileName = SUBSTRING(path, 0, LEN(path)-CHARINDEX('\', REVERSE(path))+1) + '\Log.trc'
WHERE is_default = 1;
FROM sys.fn_trace_gettable( @FileName, DEFAULT ) AS gt
WHERE EventClass = 175