It could be anywhere, and it could be anything. It could even have been deleted.
We did have a situation a while back where a client lost control of their password due to a keylogger and someone was uploading a CGI script to spam emails, running it then deleting it. We only found out via FTP logs what was going on.
Try checking your ftp logs, web server logs and if all that fails and you are sure it is php then try searching for eval(
as that is an often used tactic to hide what a script is doing.
More importantly though, my suggestion would be to get someone who is experienced in server management to have a look at your site as a matter of urgency. If they were able to upload a file to your site once, then even if you remove it, it won't stop them doing it again until you find exactly how they were able to do it.