I would start by filtering the logs by Update and run it on all days. You should be able to track it down. It could have only been done by someone with permission to add admin users...
Security and privacy
Site admin
This discussion has been locked so you can no longer reply to it.