The most important thing to realize is that your server is compromised through and through. While the attacker may not have installed any rootkits or the like, you have no way of knowing. Your only options is to take the system offline and analyze it using an external source. The sooner the better, as otherwise you'll be trampling over any evidence yourself through normal use of the server.
So, essentially, take the server offline, take out the disk, clone it, wipe it down, use backups (if you have them!) to get a usable state back, then start to look at the data on the disk (remember to just examine the data - do not ever boot the system).
If you're lucky, you'll find traces of the attacker left in the web server logs or ftp logs. Depending on the level of access, you might also be able to find something in the auth logs. Obviously, check through any logs the system offers - maybe you'll get lucky.