Hi @Sven Deha
Sorry to hear that your resources were deleted. Unfortunately, sign-in logs are limited so it really won't be possible to determine exactly how this user was created and got access. The only option I could think of is if you kept the email from when the account was initially invited by searching your email for that user's email.
I would definitely advise hardening your access roles and remove any accounts you don't recognize from your tenant. Furthermore, if you're deployed these resources in the past 90 days, then you can you follow @Oury Ba-MSFT 's suggestion and use the deployment activity to redeploy your resources. If it's been beyond 90 days, then you'll have to redeploy your resources manually. This is why it's important to have a CI/CD pipeline that will allow to redeploy your environment should you ever need to.