I'd go back to Nogdog's suggestion and record the IP address.
We use the following in our CMS, not to stop password sharing, but to offer members an additional layer of security.
//get the ip address
if(!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
$xip = $_SERVER['HTTP_CLIENT_IP']."ip";
else if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
$xip = $_SERVER['HTTP_X_FORWARDED_FOR']."proxy";
$xip = $_SERVER['REMOTE_ADDR']."remote";
$r = rand();
$xip = "UNKNOWN.".$r;
$xip is recorded in the user's record, along with their name, password, and an answer to one of ten of those stupid questions (eg; what was your first dog's name?).
If the user logs on from a different IP address to the one recorded, the additional layer of security kicks in and asks them to answer that question. For you, I'd then get the incoming user to answer a different question, which means that even if the next user of the "borrowed" password was to try to log on, they wouldn't have the second answer.
Also, when the "owner" of the password tries to next log on, because he's now logging on from an ip address that's different to the one used by the "borrower", he's going to be asked a question to which he doesn't know the answer.
The reality is that even dynamic ip addresses change rarely, so if you tracked the number of times a different ip address was used, you'd be able to pick up users who were sharing passwords.