Hello Tom. 
Please keep the knowledge in the following topic in mind, my friend:
Given that the ACME process was carefully designed to specifically prevent issuance of certificates to unauthorized parties and that those of us responding to you in this thread have collectively helped many thousands of people with certificate-issuance concerns, you can be fairly certain that if there were a strong concern, we would be the first to sound the alarm. That said, we do appreciate your vigilance and concern here and genuinely hope that both continue unabated. If these staging certificates were not deliberately (or accidentally) created by you, I believe they were almost certainly created by an entity to which you have delegated some significant degree of trust (your DNS provider or hosting provider). It would be necessary for such an entity to also know your email address for you to receive the expiry notifications, which further limits the field of suspects.
PS:
Unfortunately, you have hit into an area of disadvantage for purposes of investigating foul play. Tools like https://crt.sh are not available for staging certificates.