There's a couple of things you can do.
The simplest is to use tcpdump. e.g.
#tcpdump -Z root port 25 -vvvvvvvvvvvvvvvvv -C 10 -W 10 -w captest-port-25
This will capture all traffic on port 25 and dump it to a file called captest-port25.001
It will continue to do so until the file has reached 10Mb in size and will then switch to .002
It will create no more than 10 of these files before starting at the beginning.
However, with the attack in progress, you can just do the capture for a little while, then CTRL-C.
The resulting file can be viewed in Windows using Microsoft Network Monitor (free download from Microsoft) as long as you rename the file .cap when you copy it to your PC. You can also just look at the file directly in your system using a text editor.
You should be able to see the smtp transaction taking place, including the username used to authenticate.
However, if you have pop-before-relay enabled then they may be authenticating by receiving before sending, which will be a pain for you to trace. Looking very carefully at the sequence of events in your maillog may help here.
In fact looking at your maillog at the point just before the attack happens is well worth while. At the very least you'll be able to identify the IP address the attack is coming from, and be able to block it, even if you can't immediately figure out the username being uses.
You may also want to try to install spamdyke, which offers superior logging along with anti-spam features, but I suspect this is not the time to do that....
There may be other alternatives to all this -- my suggestions may not be the best option to use.