check whether the abuse did come from Tor, rather than another computer that was on the same internal networh (thus sharing the public IP address).
Many ISP's run netflow logging or its equivalent for some combination of statistics and security purposes. Being effectively an ISP, a Tor node operator would be able to discriminate between the two traffic sources by segmenting and logging their networks appropriately. Any look of the ISP's gear would then give the ISP a bit of defense against that question. Do your own work regarding legality and effectiveness of such logging in your area and application.