Security

The record of who added the system to the domain would be on the domain controller they authenticated against. This event may or may not be in the security log depending on what you are or are not auditing.

So did you take a default install of Active Directory or did you configure auditing? You will be lookin for an Event ID 645 for computer account creation, 646 for a change and 647 for a deletion.

You can learn more about configuring auditing here:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx

Unless you have locked the network down, Authenticated Users can add up to 10 computers to a network. You can lock that down by following the steps in this article:

http://www.windowsitpro.com/ActiveDirectory/Article/ArticleID/24672/ActiveDirectory_24672.html

Microsoft has security guidance published for both Windows 2000 and Windows 2003 server:

Windows 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6&displaylang=en

Windows 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

Windows XP:
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

National Security Agency (aka Spooks R' Us) Note that this one covers several OSes:

http://www.nsa.gov/snac/downloads_all.cfm

This question was closed by the author