Anyone can set a firmware password by booting into a Mac OS installer and turning one on. I believe on (maybe) 10.14 and above (or maybe its just T2 enabled macs, Im not sure offhand), you need to know the local admin password to make changes to any security settings like firmware.
We specifically set a firmware password which keeps anyone from booting to anything other than their Main Hard Drive. The only resolution for a firmware that you don't know (at least on newer machines as far as I know), is to replace the logic board. On truly older machines you could just remove the ram and reseat it to clear the firmware password. Nowadays its stored on the board.
Figuring out how it happened will probably not help much, but you may want to consider turning one on so it cant be done by someone else again.
Princeton Public Schools