As @jamf-42 stated, start with your change management logs. But assuming you have not already, get that password rotated and made far more complicated. If possible retired that username also as its a known variable now.
Ideally:
- You should only have a single Local Account that is an Administrator with as long and complicated of a password as possible, and vault the password somewhere secure.
- Anyone with Jamf Access (admin or not) should be using SSO with Local Jamf Groups and MFA setup or LDAP with LDAP Jamf Groups (SSO is better as it supports MFA) and not local Jamf accounts.
- Any other local accounts should have very limited access to VIEW only what they need such as to view policies or enroll computers (if not using SSO enrollment customizations).
- If you have API integrations still using Local Accounts, set the longest and most complex passwords possible and they should never have administrative access.
