1) Are you sure that they are using the subdomain? They could be connecting via IP or an alternate host address.

2) Are you using TLS? Unless you are using a wildcard cert, then the FQDN will have been published as part of the certificate transparency logs.