Look at incoming hosts – can be good for seeing if there is some kind of system abuse (eg ddos)
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nrk 1 | head
Isolate Apache processes by account owner – sometimes it is Apache processes belonging to a particular site that are consuming memory.
lsof | grep '^httpd' | grep '/home/'
Using this command in conjunction with top should be able to point out the culprit account
Hat tip: our hosts Wiredtree – this little bit of info came in response to working out a recent issue