Why would a hacker/scammer put a domain INTO my exchange online admin?

You can review the Purview Audit search to look for audit logs (as long as auditing was enabled!).

I'd be logging a ticket with Microsoft to get the domain removed ASAP. 

Definitiely a bit of a weird one. I'd say this is a form of Business Email Comprimise and they are trying to trick vendors/partners into sending money their way, but why they would use your tenant is a bit unusual if they could just set up a new tenant and add the domain there. If they were able to register the domain in your teannt, the malicious actors obviously also have access to the other domain's DNS records as well, so that ain't good!!

I'd be locking down all the GA/priviledged accounts ASAP. Best practice is to not give user account GA access and make admins use a separate priviledged account to do any admin tasks. This means that if their user account is compromised, at least the bad actor doesn't get admin priviledges in the tenant straight away.