The underlying issue with the question is that anomalies are relative to something... your particular users, your particular data, your particular applications, your particular seasonality, and so on.
In some companies, accessing a production database on a night or a weekend would be an anomaly. Others, FAILURE to access the database would be an anomaly.
Splunk has lots of features for detecting and analyzing unusual or interesting events.
The first step is to get the logs into splunk. Then, ask a question about access patterns, pull the relevant data, and get yourself a simple answer. Repeat, repeat, repeat.
Whenever you find the answer is not simple, or the data is not understandable, then post some non-confidential details about the issue in a new question and we will help you figure out how to think about the data you have, or how to reorganize it to make sense.
But the first step is acquiring a feed from the audit logs themselves, and getting them into splunk (or any other awesome tool) so that they can be examined.