There is nothing wrong with writing logs to a file, you just need to make sure you create a special directory for it and add .htaccess that will prevent listing, and probably deny all access to it from the web.
There is nothing overly wrong with storing data in the DB provided you do it in its own table, but unless you need to be able to filter the data online, it is probably just pointless overhead (in the end, DBs store everything as files…).
The advantage of having a DB table is that it is easier to create it using the WP DB APIs, but it is much harder to extract the information if you need the full log. (you need to explicitly write the code to do that, might run into memory limitations, etc)