I think the headers which are present in the request when it's received by the BIG-IP are being logged in the iRule. I would guess that there is a server inserting the HTTP headers after the BIG-IP. Or perhaps not all of the CGI variables are actually headers. Maybe they are being parsed from other HTTP headers or the payload data.
If you check the HTTP headers that the client sends on the browser, do you see a samaccountname header? You can use Fiddler for IE or LiveHttpHeaders for FF to check. Anything you see in the headers on the client should be available to the BIG-IP.
Aaron