You need better logging. Try doing a packet capture with tcpdump then decrypt the HTTPS traffic. Because what you've described so far, especially before the edit makes no sense.
If you don't have a DNS record pointing the subdomain to the IP address of the server, it shouldn't be possible to resolve the IP for random Internet users. If this VHOST only exists in your Apache config file and nowhere else, it is private.
You need better logging. Try doing a packet capture with tcpdump then decrypt the HTTPS traffic. Because what you've described so far, especially before the edit makes no sense.
If you don't have a DNS record pointing the subdomain to the IP address of the server, it shouldn't be possible to resolve the IP for random Internet users. If this VHOST only exists in your Apache config file and nowhere else, it is private.