@Tim Yes. The Wordfence scans are invaluable in such cases. Well reminded!
@Mike
The Wordfence scan will compare all the Wordpress core files, and the theme and plugin files if selected, against those held in the repository. You can also check the site through your FTP client and change the viewing pane to list the files/directories in order of date modified - this can help direct you to any files that were modified within the date range of the suspicious login(s)that fall outside the Wordfence scan for a manual check. If you have a recent clean backup for comparison, you could also try a file/folder comparison programme such as WinMerge (not sure of the apple/linux alternatives).