Two possibilities, with a few Ifs.
Possibility #1:
- Take a look at the created timestamps on the malicious files (assuming they're separate files); or last-modified timestamps (if malware was injected into one of your files).
If you have access to your web server access logs (depending on your hosting plan and service provider, the location, name and method of getting them would be different); and
If you have those logs for the time-range when those files were created/modified; then
- Search through those logs for PUT or POST messages targeting those files.
Since you already mentioned webalyzer - you probably did some form this already. Hopefully the narrowing down that I mentioned might help; or use of another tool (even a manual search through the logs) might identify what is being missed.
Possibility #2:
Some wordpress security plugins (not all) do create separate logs that you can dig into. I know that Sucuri's service does this; and probably WordFence too. I have a product that does this (ActiFend) too, though the logs are stored on our servers.
If you were using any such plugin -or- any other remote logging solution, either you or any security analyst would be able to dig through them to get some idea of the IP address (that is not the same as who did it, but it is still something).
For the future: Being prepared is the key. If you accept that you will be hacked at some time or the other, then you'd setup both remote monitoring and recovery.