The mongod's and mongos's are not auditing the same operations
Our docs at http://docs.mongodb.org/manual/core/auditing/ say the the auditing capability is for both mongod and mongos instances. Schema DDL are among the operations that are supposed to be logged by the auditing system. The documentation makes no distinction between a mongos and mongod server.
The issue I found is that even if you execute explicit operations like "createCollection" and "dropCollection" from a mongo shell connected to a mongos, the mongos audit log does not show the operations. The DDL operations are only logged in the mongod audit log.
I brought up a sharded cluster using the same audit parameters for all components of the cluster, namely the mongos's, the mongod's and the config servers.
Only "atype" : "authCheck" records, meaning only inserts, updates and finds were in the mongos audit log.
I understand this is intended behavior, since the DDL is not really finalized until the mongod on the shard executes it. However, at the same time, the insert is also not finalized until the mongod on the correct shard executes that. So it seems a bit inconsistent.