OK looks like you have covered all the bases.
Only 3 suggestions come to mind.
1, use SSL Client / server certificates.
2, run a script against both logs looking for IP addresses that access more than one account and write it to a second log for look at later.
3, and this is probably the best, but also a costly one. Write a front end to the application that the user has to load to access it. I use one like this to check illegal files on game players machines while playing MOHAA. Now in the code for this, collect the MAC address of the posting machine. and send this in the application server. this will identify the same machine every time.
Unfortunatly, Mac's cannot be accessed over the net unless you do it at the PC as switches, routers etc will only see the ARP call