FYI, the system auth plugin referenced earlier is now packaged as part of 5.7.5:

http://mysqlserverteam.com/the-mysql-5-7-5-milestone-release-is-available/
http://dev.mysql.com/doc/refman/5.7/en/mysql-no-login-plugin.html

We’re considering back-porting to 5.6 (since it’s an optional plugin, there’s less concern about regression) in a future release.

There’s this login audit plugin I wrote (https://shlomi-noach.github.io/blog/mysql/introducing-audit_login-simple-mysql-login-logfile-based-auditing). The thing with plugins is that they are nightmarish to support cross versions.
Whenever I upgrade a MySQL server, I need to recompile the plugin (with same version) and install on service. I find that this is difficult to maintain, even with Chef. It becomes a macaroni of versions.

I wish there would be a way to write plugins such that they don’t need to be recompiled for every possible version.

FYI, there’s a slightly less-hackish way to create valid accounts which prohibit all client connection logins:

http://mysqlblog.fivefarmers.com/2012/11/08/system-user-authentication-plugin/