OK, after using xp_logininfo i've found out what i need to know.
I tried running the above xp using the login i saw in the process list i.e xp_logininfo 'domain1\user1' and got nothing. We've just changed domains so i thought i'd just try using the old domain name instead and low and behold i got the info back, so i guess the two domains are still mapped in some way. The worst bit is it turns out these users are part of Bulitin\administrators, on a live box!! And yes i know, the builtin should be removed. This is all part of my security audit after just arriving in this job.
Growing old is mandatory, growing up is optional