There is no doc showing where these tokens have been stored. They can only be created through web and Rest API. One of the pre-requisite is to having the kvstore enabled for tokens to work. I am guessing they might get stored there for security reasons. I have asked a question to Splunk docs feedback section hope they get back. Hope this helps!
An upvote would be appreciated if this reply helps!