"...I need to find out if the commands were entered manually via ssh or wether it was a cronjob or interaction via some API..."
If you look at timestamps, I think you can exclude the first option. No one would enter corresponding commands manually so fast. I dare to say even scripted ssh-connection or client-server api connection on local network could not be that fast.
I think someone gained shell access to esxi host (remote or local), uploaded malicious script, and let it run. Check the time of the first suspicious log-entry: if it has some "rounded" time (i.e. 14:25:00.00), it was probably started by cron. If time seems to be random (i.e. 13:23:39.310), script was started manually, while attacker was logged in.
If you still have original datastore, try to analyse it. In our company standard procedure is to grab images of all affected disks before doing anything else. Content of disk-images is then parsed, looking for ascii-strings. That might reveal important evidence, if disk was not zeroed, random-wiped, or encrypted. Also check all other log-files (I hope you collected them with central log collector). Find what esxi-version was running and if it was not the latest one (at the time of incident), what security problems were known and not fixed. I know this all is tedious work, but that's what forensic analysis is...