If they are relying on the Windows Update Service (WUS), you can use a prevention policy to "allow but log" access to the executables that make up the WUS. I know of wuapp.exe, but there may be more.
It will take some profiling to see what executables are used, and when they are used (ie, will you get an alert that the executable ran when it is just checking to see if there are updates out there waiting to be downloaded?)
If you are using a non-windows patch management solution, you will have to profile that application.
You could also potentially do this using a detection policy, if you can get Windows to log the start of the WUS process in the Windows Event Log. Once you know what Windows events you are looking for, use a Windows Template Detection policy to monitor the event logs for the specific data and trigger an alert. I have not done this, and after a quick test in my lab, in 2k3 it appears that WUS activity is not logged by Windows by default.