sudo cat /var/log/mysql/error.err | egrep '[aA]ccess denied'

https://serverfault.com/a/455610
Added
It is necessary, in fact, to disconnect this server from production, out of harm's way and conduct experiments on it. And for production, prepare a freshly installed OS with a more serious approach to protection.
If there is a sporting interest in detecting malware, then:

1. run the decoy program instead of the actual MySQL.
   https://github.com/sjinks/mysql-honeypotd
   
2. further, you can install atop, acct:
   sudo apt install acct atop
   atop collects information about system performance and running processes
   acct monitors user activity (in particular, sa displays a list of processes)
   https://haydenjames.io/use-atop-linux-server-perfo..
   https://www.tecmint.com/how-to-monitor-user-activi... will
   collect statistics for half a day-day and then you can analyze the history like this:
   atop -r /var/log/atop/atop_20200729
   
3. If not enough, then I had this idea: you can write a program. It can listen on port 3306 and register an IP address and also find out the process number of the client, by which you can find out both the path and from which user it is running.
   Find out the process number on the listening port
   sudo lsof -i :2345
   Find out what kind of user it is and where it starts from
   

   ls -l /proc/6726/exe
   pwdx 6726

   
   

netstat -> grep -> file
or log via grep

an option to search all files on the server for the presence of the string "Admin2"
there may be a brute force script with a list of default logins or a text dictionary, etc.
find / -type f | xargs grep "Admin2"
, you can search not from the root, but for example in / home or / var, etc.

If something was trying to guess the password from within... wouldn't it be easier to see the login/password in the project settings?