Ok google, mac vendor.
We go to https://macvendors.com/ and see that this is mac Mikrotik.
You managed to catch yourself by the tail :)
In search of a mysterious device, it would help you if all the switches were managed (along the chain to track which port this or that mac is on). Without managed switches - at random, more precisely by the method of plugging and plugging connectors (and ping the left ip-address at the same time).

Run wireshark, configure listening on ports 67 and 68, make a DHCP request, all servers should respond.

Mac hotspot? They know how to replace the poppies of clients with their own.

Is proxy arp enabled on Mikrotik?

today DHCP distributed not 113.0.168.1 but 116.0.168.1 on this IP devices are already defined.
I decided to immediately break through the range 115.0.168.1 is available with a huge response. 117 is available there too.... I'm shocked.
on 117 there are devices on which I successfully logged in, but I could not cheer up the logins. and these devices are never from my network at all - these are three cameras and a router.
as we see in the settings of their camera, which I went to the usual 1st subnet.

Change the password on the available camera until someone comes running.
Or the resolution on it is as small as possible. Yes, just change the ip.
And what other ports are available on those ip?
Same ssh? Nmap pom to check what OS is there and google default passwords
Have you checked your servers for such poppies?
If the domain is Windows, I think it's not difficult to collect network information using group policies and put it from each device into a shared shared folder. Well, then do a file search and identify the machine on which this poppy is.