Since Sun first suggested it, you should probably use Pluggable Authentication Modules (PAM). The C example in the documentation (warning, PDF link) shows how to add an extra layer to the password changing process. Your assignment is to wrap the API in XS so that I can use perl to develop PAM plugins ;-) (The PAM stuff on CPAN is only for using PAM, not for extending it.)

Update: Looks like there is already a logging plugin which you can download and compile (tarball link).

Update: You will want logging on the password stack, not the login stack. Other than that, traveler's node probably points you at the quickest (and most perl-y) solution. (++)