That’s really strange.
The email you received was a Wordfence email, warning of someone using a login to your WordPress site of a user that doesn’t exist?
The two things that can help you find out what happened is getting the email headers (from the warning email), and getting a look at any Access Logs from the time the email was sent. Your hosting provider can help if you are unfamiliar at how to download them.
There are a couple of possibilities you can find out from this.
One might be phishing (the email providing a link to a form that isn’t your site, but pretends to be a wordpress admin login ‘to check out the problem’).
Email headers from the email could tell you if the email was sent from your website or not.
A second option is that someone used malware to create a user, log in, and perform some actions, then deleted the account. But that is unusual because the actions someone would perform for that would be to leave backdoors, and a new user account is one such backdoor they’d want to leave behind.
If you have access logs for the server from the time of the email (your host may be able to tell you where they are), that could tell you if someone had actually accessed the server.
A third outcomes might be a staging site or a cloned site. If you have a staging site, it could be that site that is being logged into (and have the user).
A fourth, rarer possibility is that someone had cloned the site – an exposed backup of your website could be downloaded. Essentially if you have a backup plugin saving copies of your site in a location a visitor can download, sometimes that site is then cloned and by someone else (who then administrates that clone).
If they happened to clone your site, including the Wordfence settings and email, you would receive warnings when they log into their copy of your site.
