Hey there! The best answer I have for this is "maybe" depending on what logs are available to you.
If you have root access to the server, you can check email access using /var/log/webmail. Here is an example of what the log entry looks like when someone accesses webmail through cPanel:
Jan 26 09:57:46 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=2089199, secured, session=<I7HC+Cvzbq0AAAAAAAAAAAAAAAAAAAAB>
Jan 26 09:57:46 host dovecot: imap([email protected])<2089199><I7HC+Cvzbq0AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=82, out=939, bytes=82/939
You'll also see similar entries each time a message is deleted, as it authenticates to the server, deletes the message, and then closes that session.
You could try and correlate those timestamps to the data in /usr/local/cpanel/log/access_log to see if that matches up with an IP address.
For even more detail, you can run this command:
tail -f /usr/local/cpanel/logs/access_log
while deleting a message in webmail, and you will get many lines of output. It's long, so I didn't share it here.
If the message was deleted from an email client, such as Outlook, the logs will be more limited.
Hopefully these details will help you track this down!