One thing I would do is have a look at /var/log/syslog. It's where Linux kernel and a bunch of other programs (dhclient, NetworkManager, acpid, dbus, ...) log some of their messages. It's extra nice because it will include which log line belongs to which program.
It depends on your implementation of last but if your system crashed you'll see a message to this effect in the last output.
Example
Notice the crash lines? These are as a result of the power going out or someone hitting the power switch on this particular system.
$ last
root pts/0 greeneggs.bubba. Tue May 13 22:42 - 22:43 (00:01)
reboot system boot 2.6.18-238.19.1. Tue May 13 21:47 (4+17:29)
root pts/0 greeneggs.bubba. Tue May 13 21:36 - crash (00:11)
root pts/0 greeneggs.bubba. Mon May 12 03:29 - 03:29 (00:00)
root pts/0 greeneggs.bubba. Sun May 11 16:47 - 19:41 (02:53)
root pts/0 greeneggs.bubba. Sat May 10 17:10 - 17:12 (00:01)
root pts/0 greeneggs.bubba. Sat May 10 08:35 - 08:35 (00:00)
root pts/1 greeneggs.bubba. Thu May 8 23:56 - 23:56 (00:00)
reboot system boot 2.6.18-238.19.1. Thu May 8 23:55 (9+15:21)
root pts/0 greeneggs.bubba. Thu May 8 22:39 - 22:41 (00:02)
root pts/0 greeneggs.bubba. Tue May 6 21:36 - 22:06 (00:30)
sam pts/0 byers.bubba.net Tue May 6 12:36 - 13:04 (00:28)
root pts/0 :0.0 Mon May 5 23:12 - 23:12 (00:00)
root :0 Mon May 5 23:03 - crash (3+00:51)
More esoteric method
One that I've seen used quite well is if you have a laptop, you can use the command line tool acpi to query the system's ACPI interface. This will tell you, among other things, when the system is on-line with power or running off of its battery.
Example
Here's the output from that command on my laptop.
$ acpi -V
Battery 0: Unknown, 94%
Battery 0: design capacity 6963 mAh, last full capacity 6683 mAh = 95%
Adapter 0: on-line
Thermal 0: ok, 52.0 degrees C
Thermal 0: trip point 0 switches to mode critical at temperature 100.0 degrees C
Thermal 0: trip point 1 switches to mode passive at temperature 95.5 degrees C
Cooling 0: LCD 0 of 15
Cooling 1: Processor 0 of 10
Cooling 2: Processor 0 of 10
Cooling 3: Processor 0 of 10
Cooling 4: Processor 0 of 10
Simply checking the contents of the line Adapter will tell the system's current status. This could be wrapped into a monitor, if for example, you wanted to monitor a group of machines to see if they've experienced their power being cut as a group.
plugged in
$ acpi -V | grep "Adapter"
Adapter 0: on-line
unplugged
$ acpi -V | grep "Adapter"
Adapter 0: off-line
Best Answer
Only root privileged programs can gracefully shutdown a system. So when a system shuts down in a normal way, it is either a user with root privileges or an acpi script. In both cases you can find out by checking the logs. An acpi shutdown can be caused by power button press, overheating or low battery (laptop). I forgot the third reason, UPS software when power supply fails, which will send an alert anyway.
Recently I had a system that started repeatedly to power off ungracefully, turned out that it was overheating and the mobo was configured to just power off early. The system didn't have a chance to save logs, but fortunately monitoring the system's temperature showed it was starting to increase just before powering off.
So if it is a normal shutdown it will be logged, if it is an intrusion... good luck, and if it is a cold shutdown your best chance to know is to control and monitor its environment.