If want to figure out which above process (if none of the logs will show), you'd have to make that auditctl rule reboot persistent like below:
$ arch
x86_64
$ sudo nano /etc/audit/rules.d/pihole_logrotate.rules
-a always,exit -F arch=x86_64 -F path=/etc/pihole/logrotate -F perm=wa -k pihole_logrotate
$ sudo reboot
$ sudo auditctl -l
-a always,exit -F arch=b64 -S all -F path=/etc/pihole/logrotate -F perm=wa -F key=pihole_logrotate
If I test:
$ date; sudo touch /etc/pihole/logrotate
Wed Jun 11 05:50:38 AM CEST 2025
$ sudo ausearch -ts today -k pihole_logrotate
[..]
time->Wed Jun 11 05:50:38 2025
[..]
type=SYSCALL ... pid=651 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=3 comm="touch" exe="/usr/bin/touch"
EDIT: Check below two man pages for what above ones do:
man auditctl
man ausearch