Wonder if anyone can help.

On our office network (Active Directory, DHCP, DNS etc) we have three
NETGEAR WN802T used as access points for laptops onto the network.
These AP's are secured using WPA-PSK with a long and complicated
key, and they have had default ssid's, passwords etc changed.
Looking through DHCP on the Server I noticed two address leases from
computers outside our domain.

Trying to narrow down the likely culprits, I wonder is it likely to
someone with access to the WPA key or is WPA still not secure
enough to stop unauthorized access?

Question: Should WPA stop the DHCP server offering leases through the
Access points?

Any help much appreciated.