Drupal core never resets a user password without interaction from a user.
My best guess it that someone is asking for a new password via /user/password on an account that don't belong to them.
Lets say I have an account called "bratanon" and my friend have one called "foobar". I can then go to www.yoursite.com/user/password and when the site asks me for "my" username tell the site I am "foobar".
Foobars password will now be changed, and he/she will receive a mail with a link to change it.
Or you have installed a none-core module that does this.