Read here about places where startup programs can happen:
.
http://www.linuxquestions.org/questi...d.php?t=543046
Also it could be started by the 'at' command or by 'cron' (which has many locations...).
Even with SSH port closed, ssh can be specified to attach to another port, so this agent could be listening to another port as a sneaky maneuver...
you could also look at that process in a Tree via command line to see what is starting ssh-agent:
ps axjf (use [shift][page up] or [shift][page down] to look through the results)
run 'man ps' at a command line to learn more about that...
let us know how it turns out!