I've had this, also. Two sites, same server (shared hosting).
I chased this up with my host to see if they'd been auditing MySQL entries, which they had, so I could investigate something myself and they also said that the IP address had also been probing other sites on the server for the Wysija-Newsletter plugin.
Interestingly, I had a Wordfence 'blacklisted user' email, today, for the NULL user trying to log in. Same IP address.
So, maybe it was a Wordfence bug, as they suggest in that other post, that's been fixed now.
If you search around there are hits for this dating back to last year.
