Feature Request: Report if root account is ever used

[rbeede]

It'd be nice to have a audit check that reports if it sees a login from the root account.

We add MFA to ours and try to never use it for anything unless absolutely required. It'd be nice if I could audit its usage with information such as the date+time and an IP address.