Most likely in the spamassassin configuration file. For example, apache's user is specified in httpd.conf, so maybe it is the same here. Some daemons state which user on the command line however, eg MySQL:
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
This form would be in your init scripts...
I know you said just a question, but you do realize there is a good reason for daemons running unprivileged, right?