Watch a directory for file creation:
auditctl -w /usr/bin -p w -k root-comped
grep that from the logs:
grep root-comped /var/log/audit/audit.log
a line like this would appear when a file gets created in directory /usr/bin:
type=CWD msg=audit(1546980211.589:149675): cwd="/" type=PATH msg=audit(1546980211.589:149675): item=0 name="/usr/bin/" inode=360450 dev=ca:01 mode=040555 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=SYSCALL msg=audit(1546980211.593:149676): arch=40000003 syscall=10 success=yes exit=0 a0=ffd2c806 a1=0 a2=ffd2c806 a3=20620 items=2 ppid=1 pid=26062 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="miuenxkgxk" exe="/usr/bin/miuenxkgxk" key="root-comped"