Step 1: Get corroboration. That is, ask other players (voicechat or teamchat if the suspect is on the other team, steam messages or vent if otherwise.) if they think the suspect is hacking too. Going into spectate and watching them for a while helps. If it looks like a hacker, and you've got corroboration, go to step two.
Step 2: Find an admin. Admins include Lancer, Durban, and teamchuckles!. There are others, but those are the ones I know have the rcon password. In the process of step 1, you may already have found one. Let the admin know about the suspected hacker. The hacker will be kicked and/or banned. If you cannot contact an admin, go to step three.
Step 3: Open the console and enter the following commands in succession; "status" and "condump". "Status" will identify all the players on the server by their in-game names and their steam IDs. "Condump" dumps the entire console into a text file in "C:\Program Files\Steam\steamapps\(playername)\team fortress 2\tf", and names it "condumpXXX.txt". If it was your first condump, it will be titled "condump000.txt". If it was your second, then the name will be "condump001.txt", third is "condump002.txt", etc. Once you have done that, go to step four.
Step 4: Record a demo. This is done with the console command "record (demoname)". Stop recording with the command "stop". Replace (demoname) with what you want the demo to be called. Parentheses not required. Going into spectate and recording the offender will help greatly. When you have finished recording, upload the demo and condump to an appropriate website and submit a ban request at
this location. An admin will review your request, as well as the source material provided, and determine if a ban is an appropriate action.
Edited October 5th, 2008 for new information.