1. on the drive or folder–>properties->security->advanced->auditing then add an auditing entry for the local system’s Everyone group. then choose specifically which auditing events you want to log. both “deletes” would be a good one to start out with.

2. then on the local machine–>local security policy->advanced audit policy configuration->system audit policies->object access. here you can choose just to enable file system auditing.

if you choose to enable local policies->audit policy->audit object access then every type of object access will be logged and the logs will essentially fill with junk data.

source:
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/