There is no way to pin-point the origin of the modifications, unless the attacker has triggered a different event. If the malicious user has, for example, access to your FTP account then they can create, modify and/or delete any file without triggering any WordPress event, this is why the plugin can’t show you the IP address, because the modifications are not happening through your website but through an external tool (FTP, SSH, cPanel, etc…).
What the plugin does is to check every 12 hours (unless you have modified this frequency) if the checksum of any file is different than the checksum reported in the previous scan, if the checkums are different then the plugin generates that alert, but at this point the plugin has no information about the origin of the modification, hence the localhost address.
Please refer to the I/O and access logs in your server, you will find more information about the origin of the modifications there. You can also audit the plugins/themes that you have installed, they can contain malicious code that allows a malicious user to write into your website bypassing the WordPress action system.
Marking as resolved, feel free to re-open if you have more questions.
