I think having an IP address appear in a log that doesn't match a known list is the best suggestion we have - the DHCP but no Agent rule is an example if you have full agent coverage, but if you don't, you might be able to build lists of known hosts or known good IPs otherwise. Other ideas along those lines would be a Logon from an unknown IP, or firewall traffic in/outbound from an unknown IP, or proxy traffic from an unknown IP. The trick is going to be in determining what an "unknown" IP is.
Some devices might log this, too. User Device Tracker (a separate SW product) does try to do some new device detection as well, since it's about detection of what device is where (and on which MAC).