header.php.wpseobak - is found in the theme folder (not always).
WordPress SEO only creates this file when it needs to change a themes built-in hard coded meta description function.
The wpseo function is found in plugins/wordpress-seo/admin/pages/dashboard.php on line 64 in section starting on line 49, ending line 89
$backup_file = date( 'Ymd-H.i.s-' ) . 'header.php.wpseobak';
Because it's hard coded in the theme, it cannot be removed by a filter action. Instead the plugin backs up the original theme file, removes the hard coded meta description section, and adds the WordPress SEO dynamic meta description function.
It has to, or there will be 2 meta descriptions, which are not too good for SEO...
The file you found named header.php.wpseobak is OK. it's supposed to be there if the requirements mentioned above exist. It's not a malware script.
But it's very good you are cautious :)
To set your mind more at ease, because of the extension, .wpesobak, PHP cannot execute the file anyway. (same applies to extensions like .backup and so on which you sometimes find if the server techs have worked on the site
If you're still worried, you may e-mail header.php and header.php.wpseobak to [ redacted ] for free manual inspection (must be in zipped folder or mail server will strip .php attachments)and let me know the theme!)