Presumably the tool that is telling you that you have an unexpected admin user (from Googling the message, it seems to be Wordfence) can also tell you at what time that user appeared? You can then read your web hosting logs to see what activity was happening at that time.
UpdraftPlus is installed on 3 million sites; if it has a vulnerability that allows new admin users to be created, we would be expecting to see a huge number of reports – this would be one of the biggest hacks in WordPress history. As of yet, yours is the only report, so looking at it at a statistical level (which is what I understand you are attempting to do – you haven’t mentioned any other data), then that doesn’t give any good indication that it’s related to UpdraftPlus.
A competent PHP developer will be able to analyse your WordPress database and log files to tell you more about how you are hacked. Since you are apparently using Wordfence, you could deploy their services to do that. (Though, given that you say you’re seeing a message that comes from Wordfence on all these sites, apparently you have at least one other plugin that is installed on them all? Though, the same reasoning would apply to Wordfence – they also have millions of installs, so if there’s an unknown defect there, you’d again be expecting a large number of concurrent reports).
