The "reason" column gets filled in when logins/cmds are filtered by NARs. It would tell you which NAR caused the login to be rejected.
On the ACS side you could add a custom command whose authorisation would get logged in the T+ admin logs. Only issue is what IOS would do with the unknown command?
A cludge might be to add "ping " into the script?? Im sure there's a better way!
In my time at Cisco I often asked why there wasnt better change management built into IOS so that, for example you could enter some reference into IOS when you enable, and have that value included in each command authorisation. Seemed really simple and useful to me!
Darran