The first node to broadcast a transaction is probably the one where it was made. You can try to link its IP to a person, but how are you going to do that and what if they used Tor? I guess you're out of luck then
We get a device fingerprint for all transactions that occur on the network, so we can see everything about an from what IP/Proxy they are using, to what version of flash, browser they have. If they are using Tor it makes it a bit more challenging, but at least we can see the IP address that is assigned and look that way
I am not sure that's going to help you. What IP do you log specifically? The local IP is useless (99% NAT, etc.), the Tor exit point IP effectively masks the guy unless you're 3 NSAs. An IP obtained via an external service a la whatismyip is also going to give you the Tor exit node, is it not?
All in all, I feel like your best course of action would be to track fraudsters like you're already doing and try to stop them when they show up again, ban them or something of the sort.
Then again if they know what they're doing, your evercookie, digital fingerprint or what have you will not work properly either.
Just trying to throw out some ideas here, not trying to bash your operation or anything