I wrote a script called wp-diff you can use on the command line to implement the comparison step Brad Dalton mentioned.
If you have many sites, a command line tool is far faster to use + can get to all your WordPress install files, with no requirement to change the Apache (or other server) config. Usually Web servers are configured to block access to .php files inside WordPress installs that should only be used by WordPress + should be hidden from the outside world.
First step is knowing if any WordPress core files have been changed.
Second step (command line again) is doing a ‘diff -r’ between a pristine copy of a theme (like twenty fifteen) + the theme being used.
I have a new client with 20-30 sites where someone foolishly made extensive modifications to twenty thirteen.
With these sites, I’m having to do what you’re doing.
1) find differences
2) move differences into child theme
3) switch back + forth between old hacked theme + pristine theme + child theme pair, to ensure all functionality is correct
I don’t see a way to attach a copy of my wp-diff script. If you’d like a copy, goole me + find my Skype ID + send me an add contact with a message that you’re requesting a copy of wp-diff.