Some cross platform software is written in Java and includes its own runtime so you don’t need to install Java explicitly. This is not uncommon for scientific software, some commercial software such as papercut printer accounting, and I’ve seen some SQL front ends that do but can’t remember which they are or if they still do. But even if a Java app uses Log4j it’s unlikely that it would be easy for an outsider to attack it unless it’s a server product such as non-client papercut.
If you right-click on an app and ‘Show Package Contents’ you can poke around to see if there are any .jar files; if so, there are least some parts of the app using Java. Where in the app package they show up depends on which development environment was used. Someone with better command line ‘find’ skills than I have should be able to come up with a command to search all apps in one go.
Whether a java app uses Log4j isn’t obvious, since source code isn’t included in the apps I’ve looked at.
If still worried in spite of the small risk:
If the app doesn’t rely on network access, you can just block its net access completely with little snitch or other application based reverse firewall. If it’s an open source app, you can go to the developer’s page, download the source and search it. Commercial software developers might have a notice that you should stop using it until a fix is available or that they never used it.