As others have mentioned, Active Directory and Windows Authentication might be more appropriate if that’s an option. But if not…

If the application has a central place that creates the connection & transaction prior to update, you may be able to use SET CONTEXT_INFO to pass along the “real” application user while still using a shared SQL account for the login.

Then in your auditing triggers you can pull the information back out again using the CONTEXT_INFO() function

This is the approach used by at least one commercial auditing tool

See also similar SO questions here and here which reference context_info and a blog post Exploiting Context_Info for Fun and Audit which gives an NHibernate example.

Nitpick on something else in your question: you said it’s using sa user. Maybe that was just an example, but probably the application should not have so many rights on the server. Create a user with only the rights needed for the particular database(s) that application uses. This limits the impact of any future security vulnerability (e.g. SQL Injection) in your application. And to take it one step further, you might have one connection string with a read-only user account, and then at the point where you create a transaction to update data, switch to a connection string with the read/write user account. You still get most of the benefits of connection pooling, but you limit even further the impact of any application-tier bugs.