I would start by filtering the logs by Update and run it on all days. You should be able to track it down. It could have only been done by someone with permission to add admin users...
Security and privacy
This discussion has been locked because a year has elapsed since the last post. Please start a new discussion topic.