You can use the backlinks report in GSC or your referrer report in Analytics or other stats reports to see linking activity.

Go to these sites, source the code and look to see if they have your URL in an iframe. Look at the source code as well as the generated code. Also look at any feeds. Check the CSS as well to see if your URL is the target of any divs.

Blocking remote use of iframing your content is relatively easy. I use 2 methods concurrently. A script:

<script type="text/javascript">
if (parent.frames.length > 0) {
parent.location.href = location.href;
}
</script>

and the header tag in htaccess:

 
Header append X-FRAME-OPTIONS "deny"

This blocks browsers from displaying your iframe content. The remote site may still have the code in their mark-up, but visitors won’t see it.

As far as I know, almost everyone who would be doing this would be doing it behind password protection, I can't view those pages or their source.

And how do I distinguish between a normal link and someone using iframe if the referrer will show the same?

I don't want to start blocking iframe use generally, first I need to collect data to see if it's a genuine issue on the site or not.

Iframes will have iframe tags around the code on the remote site.

Sorry... that's the situation.

If you're not using iframes on your site, why not block their use. This is a common method of infringement.

BTW - blocking iframes via the above methods has no effect on Adsense advertisers using iframed ads on your pages.

one question, if I want to do testing on my own site, would that code bust me out of frames on my own site or is it not domain-based?

Shouldn't be any issues with using iframes on your site (parent.)