Thanks for everybody's help.. it actually made me rethink some options.
While I had tried to find the domain he used on the email (for example @mydomain.com), i had not tried his FIRST name.
So I built a list of the most obvious mistakes in his name (came to 6 combinations) and then combined those with the possible 7 domains he could have used... and came up with 42 possibilities.
I then used my companies QA testing tools and wrote an automation script that would try each possibility on the 'reset password' page. (i may have also had to use a few of our global hosting facilities since Twitter locks you out on multiple incorrect attempts).
After setting up an email address with info he used for that twitter account... I was able to reset the password and access twitter under that account.
Now to hold him hostage and get some manual labor done around the house 🙂