My site was just hacked.  No damage was done (that I could find).

Someone created an account on my forum that had Administrator rights.  It was not set as active, however.

I'm guess that they created an account with a fake e-mail address, then cracked my password and made themselves an administrator? 

That's the only thing I can guess.

I've changed my passwords to something much harder to crack.

It might be one of my students.  I teach a Cisco networking class and I know some of them have access to password cracking programs.  But it could be someone else.

If they never posted, is their a way to track the IP address they used when creating the account?

Does your server have a log file?  You could look from there.

You were lucky no damage was done, now you will be more careful!

On http://forums.webwiz.net/forum_posts.asp?TID=6032&KW=wistex - this topic  you posted the following:

Wistex wrote: I am not sure what he is doing, but one possible use for this type of configuration is to allow multiple websites to share the same forum, yet have their own look and feel.  That way, when people post in one website, their post appears on the other, and vice versa.  As a result, the forum builds more users and more posts than it would otherwise.  And more users and more posts attracts more users and more posts.  It speeds growth. Actually, I have seen this done before with a forum, and it worked quite well for them.  Within a year, their forum has become quite busy.  They currently have about a dozen websites who have their own skinned version of the forums all sharing the same database. I liked the idea so much, that I am going to do the same with one of my forums. We are already putting together a package that will allow websites that complement ours to have our forums on their website.  This arrangement is great for smaller sites who want the stickiness that a forum creates, yet does not have enough traffic to generate enough posts to sustain an active forum, yet has enough traffic to bring new members and posts. Plus, as an added bonus, our website, which we are developing into a portal, will get recognition and advertising on other websites.  It's a win-win situation.

If you really did that then that's the most possible explanation, since WWF requires more than just permission to execute stored procedures anyone you make that deal with will actually have permission to execute any query on your database so they could have easily add a new admin account like that... That's why it's really a bad idea to do that... I was gonna post this on that topic but I forgot...

All the forums code resides on my server and they do not have access to it.  We make the forums look like their site, but it is still on my server.  That eliminates any security hole there.  I assign all accounts and am currently the only admin.