Hi,
Do you host your own copy of roundcube or are you an end user? Roundcube is an imap client it doesn't store your imap password.
If you host your own copy: you could check your imapd and httpd logs to see who has logged in to your account from where.
If you are an end user: you should contact your ISP and ask them to find out where the message came from.
If someone else has got into your account and been using it to send spam that is, ofcourse, serious. The first thing to do is to find out how they got in, for that you need to check server logs. Just because you use Roundcube webmail it doesn't mean it must of somehow of been connected to that. If it was then the devs will want as much info as possible about what happened if they are going to have any chance of stopping it from happening.