You can trying using auditd to audit the file.

sudo apt-get install auditd

Running sudo auditctl -l by default show no rules

Create a temporary rule to audit changes to index.php

sudo auditctl -w /var/www/html/index.php -p rwxa # -p = read, write, execute, attributes

Run sudo auditctl -l will show the rule that was created.
Now run sudo ausearch -f index.php | more to show what's touching index.php
or sudo tail -f /var/log/audit/audit.log | grep index.php.

WordFence is great as mentioned earlier. I also like to use TAC (Theme Authenticity Checker) and Theme-Check. Simply, TAC looks for code that doesn't belong and T-C looks to see if theme is coded to the latest specs.

I also like to check the site with http://securi.net

The hardening info is good to follow. I don't have Administrator or admin as a user and all passwords are mixed upper & lower case, numbers and symbols.

I can't stress the need to update WP, the themes and plugins. If the plugin hasn't been updated in over a year, it might be time to find something new or fork the plugin with your code.

We use WordPress for all of our clients websites. We figured if it is good enough for the NY Times and the Huffington Post, it's good enough for our clients!