Admin Password Is Being Changed By An Unknown Entity

This admin account is presently the only user account running on the website. No one else has access to the login details except myself.
The password is “very strong” – featuring capitalisation, numbers, word separators, etc. The username was changed from “admin” to something else less obvious and not connected to the domain name.
I also have 2FA authentication setup, along with a trusted security plugin that has securely kept other websites that I run.
WP, themes & plugins are up to date.

Nevertheless, I get WP emails about the password being changed.
Thinking my password was compromised, I changed it. I logged out of every other session. I even changed the user name.
But the same issue persists.
The security plugin logs will show several blocked attempts to access certain files. Those IPs are banned. Nonetheless, a few hours later, I get another WP email about the password being changed.
Then I repeat the process of changing the password, etc.
It has been an endless cycle.

However, whoever is changing the password has not made any visible changes to the site. I also recently installed Sucuri as an additional measure, to give prompts whenever any changes are made on the backend by a logged in user.
The only prompts I get are of changes I myself make while running maintenance. Sucuri (and my Security plugin) also scanned for malicious code & files, but both found nothing.

What do you recommend that I should do to resolve this?
I will greatly appreciate any help given!