Curator would not need to be deployed together with the cluster as it only requires access to the cluster. The fact that only one cluster is affected suggests the possibility that someone has set up something externally against just this cluster and are using the API to delete indices.
I would therefore follow the guidance given and try to identify the source using either audit logs with the trial license or monitoring of connections at the TCP level around the time indices are deleted.