gistfile1.txt

This script:

syscall::open*:entry
/execname == "login"/
{ printf("%s %s", execname, copyinstr(arg0));
ustack(); }

Yields these results (among others):

CPU     ID                    FUNCTION:NAME
  0    935              open_nocancel:entry login /var/log/asl/2013.07.24.U205.asl
              libsystem_kernel.dylib`__open_nocancel+0xa
              libsystem_c.dylib`asl_file_open_read+0x96
              libsystem_c.dylib`asl_store_match_timeout+0xa7
              libsystem_c.dylib`getlastlogxbyname+0x10a
              login`0x000000010c253370+0x68b
              libdyld.dylib`start
              login`0x3

  0    935              open_nocancel:entry login /var/log/asl/BB.2014.01.31.G80.asl
              libsystem_kernel.dylib`__open_nocancel+0xa
              libsystem_c.dylib`asl_file_open_read+0x96
              libsystem_c.dylib`asl_store_match_timeout+0xa7
              libsystem_c.dylib`getlastlogxbyname+0x10a
              login`0x000000010c253370+0x68b
              libdyld.dylib`start
              login`0x3

  0    935              open_nocancel:entry login /var/log/asl/BB.2014.02.28.G80.asl
              libsystem_kernel.dylib`__open_nocancel+0xa
              libsystem_c.dylib`asl_file_open_read+0x96
              libsystem_c.dylib`asl_store_match_timeout+0xa7
              libsystem_c.dylib`getlastlogxbyname+0x10a
              login`0x000000010c253370+0x68b
              libdyld.dylib`start
              login`0x3

…so the libc function getlastlogxbyname() is the culprit. From the version of login.c in Mac OS X 10.8.3 (10.8.4 source has not yet been released):

#ifdef __APPLE__
#ifdef USE_PAM
  /* get lastlog info before PAM make a new entry */
	if (!quietlog)
		getlastlogxbyname(username, &lastlog);
#endif /* USE_PAM */
#endif /* __APPLE__ */

I wasn't signed in when I created this gist, but it was my fault. Comments can be directed at me.