In reply to Greenbanks:
I imagine that iCloud should have some kind of list available of who's signed in where (eg. type of device, ip address). That would be worth looking at, if they do provide it. Try signing in to the iCloud website. You might be able to use it to log them out and/or inform Apple of the fraudulent access. (Though you should still change your password as well and look into enabling two-factor authentication, as well as my other previous suggestions.)
If you can't establish how they got access, you might want to consider changing other key passwords like main email accounts. You should certainly change any other accounts that shared the same password as iCloud.