It is possible to give VPN access to SQL Server that currently has one default instance.

please check,how he connecting to sql server .if he using sql client component or taking access of entire server aceess.

create low priviledge windows login then map that login to particular database which he want to access.Bcoz as we all know windows authentication is more secure.

Is it possible to create a second instance and only allow the vendor access to that second instance through VPN?

yes.u can but plz check sql server browser service is not running .bcoz if it is running then it will show no of instances

please observed activity what time he is connecting .