The only entity who can issue a certificate is one who can establish "control" over a domain, which basically means (to slightly oversimplify) either through being able to change a DNS entry, or through being able to create a file on a web server. So your DNS provider, or the hosting provider that you point the A/AAAA record to, can create a certificate, and usually that's exactly as intended (and ideally automatic, so that the owner of the domain doesn't need to worry about it).
Well, there are a couple things that can help for people who are trying to maintain more control over it:
- CAA records, which let you specify which certificate authorities can issue certificates for your domain. For Let's Encrypt specifically, they recently announced support for additional parameters which would let the records be locked down to a specific validation method or specific account. However, this still of course is under the control of the DNS provider, and some providers (Cloudflare I think?) might automatically add themselves to the CAA record to issue certificates on your behalf if you use them for DNS and also use their services that might use a certificate.
- Certificate Transparency logs, which allow all issued certificates to be publicly announced. There are a few services out there one can use to help keep an eye on them.
Well, it pretty much has to be someone who has control over the DNS or the server itself, so generally you can start with those companies and look at their documentation on when they might issue a certificate. In the case of something nefarious, I'm sure Let's Encrypt keeps various logs and so might know an IP address and account key and such, but I doubt that you could get access to it without a court order or the like.