I suspect our tester just ran a scan instead of doing a proper application pen test. How can I find out?
The simplest is to ask him for sample test cases he used in the pen test.
If you can't do that, check your web server logs for heavy activity from a single IP address - that's probably the scanner. Assuming the pen tester would have come from a near-by block, filter your logs for that /16 block. You will most likely be able to zoom in on what the pen tester did. If you have an IDS, locating the pen tester's IP is easier - the IDS would have triggered alerts during the scan.
If your app maintains detailed logs, then check the audit trail for the user logins you gave the pen tester before the test.
Again, the simplest is to ask the tester for sample test cases if you aren't satisfied with the results.