Tracing actions by user on a shared SSH key access

Imagine we have a shared ssh key/(username & password) between two users, We call them Bob and Alice. Bob has connected to the server and has executed some chain of commands that led to the deletion of some critical data on that host. Alice also connected to the same host, using the same shared credential just to run some updates. Although we have the sshd auth logs (/var/log/auth.log) and know that both users were connected during the incident, is there a way to distinguish which user (connection, as they contain the user's IP) was responsible for the chain of actions?