How do you trace someone who attempted to hack email

Static or Dynamically assigned public IP Address?
Wireless Modem/Router?
Does the user go out and leave the PC switched on or even in standby mode?

These are the questions you need to ask.

If it's a static IP Address, then you should look at remote connection using freely available VNC or RemotePC type programs left running on the user's PC.  Malicious software scanning for open ports on commonly used "remote connection" ports can hack into and control a PC, especially if the software running on that PC is configured just to allow a connection without prompting the user.  It would be unusal to imagine this type of hack on a PC connected with a dynamically assigned public IP address, because it would be more a case of pot luck, but nothing is impossible.

VNC and other types of remote connection software may or may not log activity.  The Event Logs may or may not show this type of event, depending on the software and how it connects.

It is possible to make VNC-type software on another PC contact your own PC and establish a connection so that you can then access it.  Check the scheduled tasks.  Of course, that would be way too obvious if someone had rigged the PC to call out at predetermined times.

Wireless connectivity can create insecurities if not configured properly.  Someone with a WiFi-enabled laptop on the street outside or in a neighbouring apartment/house could potentially gain access to that PC.

Are (or were) wireless events logged, if this consideration is a possibility?

What kind of Modem/Router is used?

You can access the internal pages of most Ethernet devices using the web browser and retrieve modem logs.  You would have to ascertain the Make and Model to find out the default private IP address used to open the Modem's property pages, but the most common is probably 192.168.0.1.  So, http://192.168.0.1 in the web browser would open the modem diagnostics pages.  

You (or the apparently innocent "defendent") stands to lose traces of logs, events, or other traces if the computer continues to be used.  Data such as file creation and modification could also be lost by looking for supporting data.  Experts who examine computers for evidence use software that does not modify data, but is able to extract the desired information from files.

What about the recipients of the emails allegedly sent?

Getting to see the full emails and headers received by other persons may yield some useful information.  Not just the email data, but the actual content.  For example spelling errors that match with consistent spelling errors made by the person that seems to be the main suspect.  Or perhaps some special knowledge information typed into the email that only the suspect would know.

Perhaps some dirt-digging about the person being named as the likely suspect could yield some boasts about "hacking", if you know his/her email address and do some web searches on that person and the email address.  Google caches a lot of pages from bulletin boards, etc in which that person may hang around telling little stories about his/her exploits.

If this incident is at all likely to spark a legal enquiry of any kind (criminal charges or civil claims), then it is imperative that the user seeks some professonal expert assistance to preserve and investigate the allegations.

How about unknown/unwanted physical access to the sending PC? The physical environment may be of interest, especially concerning who has access to the machine.

Since this is a "scenario", this shouldn't be overlooked.
/RID