How resources are provisioned (through CloudFormation or Manually or Coding) ?

Resources created via CloudFormation are not automatically tagged with anything to show that they've been created via CFN. A Best Practice is to ensure that if you are creating those resources via some kind of IaC, that you had specific tags to the resources themselves, for just this reason. I generally recommend adding a tag that shows which version of code this resource was instantiated by, for troubleshooting purposes later. This goes for all IaC resources - not just ones created by CloudFormation.

Since there aren't tags added by CFN (automatically), there's no immediate difference between a resource created by CloudFormation and one created by hand, whether that's AWS CLI, programatically, or through the console. Again - it's always a good idea to add tags to those resources - at least to ensure you can capture who created the resoruce, why, who's paying for it, and perhaps other Operational needs (like if it needs to be backed up, or has a specific lifetime associated).

As far as resources changing after provisioning, you can use CFN drift detection, or you can enable Config. Drift Detection will tell yo uspecifically which resources have changed from the time you originally instantiated them (with CloudFormation), vs. Config - which will tell you specifically what changes have happened, who made those changes and what the previous configuration was, in case you need to roll-back. Make sure to enable Config Recorder BEFORE you initially instantiate anything, so it can record those changes as you make them.