Changing a MAC may not be enough to gain access to a local network. wi-fi access can also require a local software token to register the host,
From the article: "Tufts said she stole a librarian’s password to assign a mysteriously created user account, “Scott Shaw,” with a higher level of system and network access."
Apparently librarian has the power to create network administration accounts so I suspect we're not dealing with a paragon of information security here. It would be mighty interesting to see all the MAC address logs from all the on-campus wi-fi routers and see if this MAC address was ever observed being in two places at once.
The times the fitness tracker recorded her being asleep are meaningless - anyone could've been wearing it. But the times she was being physically observed, and particularly the instance of physically observed + not on computer are intriguing. It would also be interesting to profile the interaction of the times she was being physically observed versus the interactions taking place in the "hacking". If you're being physically observed to create an alibi, then you're using a script to do your hacking in the background and that's generally going to look much less stochastic than live human interaction.