Well, as to what I would expect, I would expect a non-direct line, so something went through their phone exchange at that time. A simple DSL enquiry would give details of when the call came in, when it was routed to that room, and the number it called from.
No incoming, it was a desk call. Ergo, who was on desk? Simple.
Then you sit them down, shine a bright light in their eyes, and say, in a suitably cockney accent "Karm on, it was you what done it, warn't it? Own up or we'll do you!" (Oh go on, you all know what I mean . . . .)
If it WAS an incoming call, then the number will be present. And you still have a valid question and to why the call was routed, who by, what they claimed to get it routed to your room, and where it came from. If the Uni has a credit card with its details released into the wild, they need to know. But calling you by name is more suspicious. How did they know it was you if it was under the university bill?
Second, someone must have accessed the hotel database for the details. That's what access logs are for. For a business to be able to track who does what, when, and where they looked. Even something from the computer stone-age (pre-90) has some sort of log that will show that. It's a simple text file, but they can usually be accessed via a managers log-in in whatever back office they're using.
So no, I don't buy it. Something this serious, a major breach of a private and secured system, and this is their response? No. Years in retail and dealing with a computer and I can (figuratively speaking, this is) track a flea crawling across the office carpet.
4am (the ghosting hour, when people are at their least alert), your personal name (apparently unusual, so not a common misdirection claim), and a few "creative" mistakes regarding your folio? It screams in-house.