Does XPanel provide logs files that let you check when users login? If so, you might be able to match that against the date/time the spam was sent (the sendmail log in /var/log/maillog should have that).
I'm assuming that your web server runs as apache and that the email address isn't an arbitrary one. Can you have a look and see whether apache is listed in /etc/mail/trusted-users as well as grepping /etc/mail/sendmail.cf and /etc/mail/submit.cf for lines that start with 'T' (for trusted users). For example:
grep '^Tapache' /etc/mail/*cf
Removing those lines will cause a warning to be entered in the mail logs when somebody mails with `sendmail -f`. The benefit of the warning is in auditing your logs - you can see what apache changed the address to. For example:
Jan 9 09:06:18 fender sendmail: k08N6IKU013644: Authentication-Warning: fender.mydomain.com.au: apache set sender to email@example.com using -f
As far as stopping spam goes, can you reconfigure your setup so the To address can't be set by anyone else? I'm assuming that the users only need to contact a known set of people (support or other users for example).