In addition to object ownership within a database make sure the login does not own any databases themselves or any Agent jobs.

SELECT *

FROM sys.databases

WHERE SUSER_SNAME(owner_sid) = N'login_name_in_question';

SELECT *

FROM msdb.dbo.sysjobs

WHERE SUSER_SNAME(owner_sid) = N'login_name_in_question';

After ruling out ownership of any kind consider creating a server-trigger that writes a row to a table any time the login in question is used to connect to the instance. This would help know if any application or person was actively using the login. If nothing turns up, from there I might disable the login for a while to see if anyone steps forward asking about the login. I would hope to either leave it disabled in between the vendor's maintenance needs or drop it and re-add when the vendor needs it, then drop it again when they're done.