in my experience, on a remote site, you either dispatch a technician to investigate or have someone onsite look for you around the AP that had discovered it.
On the controller you can run 'show wms ap list', 'show log security'. Amongst other commands to see what is going on.
If you have Airwave, you can look at the RAPIDS IDS Events list and find the particular Wireless Bridge Event to investigate further.
You can then run more detailed commands on the user's MAC, etc..
But if you can get hands-on on site, it would be best imo