WHM login two factor auth logging?

So this afternoon one of our servers got compromised, We have already migrated the data away and locked it down. The problem i am trying to understand is someone logged into WHM using root and somehow got around the 2 factor auth. Is there a way i can check the logs as to how they logged in, and if they did indeed bypass 2 factors or did put it in ?