Another way you could find out is to check if any object-level privileges have been granted to the user because the table dba_tab_privs does record the grantor. If you are fortunate enough to find such grants, it is very likely the same person who created the user. Unfortunately dba_role_privs and dba_sys_privs do not have such a column.
Or you could try to Log Miner if your database has archivelog enabled.
normally DBA account (SYS/SYSTEM) have permission to create it.
if its created from sys account and auditing for sys is enabled then you can get helpful information from adump location