First, check ownership / permissions on the directories:
drwxr-xr-x 26 bin bin 3072 Jul 25 2007 /var
dr-xr-xr-x 16 bin bin 1024 Aug 24 2005 /var/spool
dr-xr-xr-x 5 bin bin 1024 Aug 21 14:05 /var/spool/cron
dr-xr-xr-x 2 bin bin 96 Aug 21 14:07 /var/spool/cron/crontabs
and the actual crontabs:
-r-------- 1 root sys 73 Aug 21 14:07 l00s7m
-r-------- 1 root sys 314 Aug 14 14:13 root
It sounds like somebody tried to do "crontab -e" and /tmp was full. if they exited with a "ZZ" or "wq" it would have saved an empty file.
Tripwire may be of some use...it'll tell you the file changed, but not who or how (and aftrer the fact of course)
http://en.wikipedia.org/wiki/Tripwire_(software)Event auditing might get it, but I believe that is system-wide, not file specific. You might examine the .sh_history file for the user in question, if available. If you've many crontab users, and only one is having issues, then it is almost certainly user error.
