If new software was (legitimately) installed, your RPM database should reflect this. In the example you cite, you could check the date the package was installed by
rpm -qi -f /usr/bin/bmp2tiff
If the instal date is quite recent, then you need to check further to see if an automatic update happened. (I would think it would be logged somewhere.) If the install date is old then it sounds like something fishy is going on.
You can also check files properties (date, md5, etc) against the RPM database by
rpm --verify -f /usr/bin/bmp2tiff
Again, a match would simply mean you need to check further to make sure that a recent change was legitimate.