We have been using the SSL Inspector logs and cross-referencing the domain names revealed there against known VPN domains. It's not ideal, but it's at least letting us know where to find the likely VPN users.