Yep. IUser will be null when there's nobody logged in, so that wouldn't work.
Sessions can expire all the time for a variety of reasons, so I'd be worried if your website has conditions that necessitate sending an email just because of a session ending.
Maybe you should move to DB persisted session state if it's a critical factor.
I realise you said that was a fictitious example but it's hard for me to imagine a scenario that would absolutely necessitate knowledge of session start and end, what with it being a very indeterminate thing largely unrelated to any user experience.
Depending on your deployment scenario you can always just modify Global.asax, but then if you wanted to distribute this as a Module you'd have to expect any end users to also make those modifications.
A final option would be to implement a system where a "phantom user" is created for all unauthorised sessions. Then you can use the LoggedIn / LoggedOut events as well as moving your session data to the user profile - which is where most things I see session
getting used for actually belong ;)