At an old job we had our lockout period set for 3 days. The theory being that if an account locks over the weekend, us admins would like to know about it very much. This was put into place before we really had GroupWise web-access up and running. This was in the era before web-based attacks were as automated as they can get these days.
Once tracing access hits a public ISP of some kind (attackers in Germany are popular with us for some reason) it gets very hard to get past them. You have to prove that the IP address in question violated the ISP's terms of service in some key way, or go the legal route. And even then they may ignore you.
Intruder Lockout serves a useful function, but at the same time it is a way to perform a Denial of Service attack against a person. The three day lockout of my old job would be very prone to this. While having a 30 minute lockout would greatly slow password guessing attempts. If a user gets continually locked out and it is traced to publicly facing services (GW-WebAcc, SSH, FTP, NetStorage, etc) it is a very good idea to make sure that user has a robust password.
Personally, I find lock-outs to be a nuisance rather than a critical chase-it-down thing. We had similar things happen when a spam mailing forged the identity of a top level manager here, and the manager asked us to find it and stop it. Once we teach the person requesting the investigation that the best we can do is trace it off shore and out of any legal jurisdiction we might have, they've always relented.