Unexpected entries in authorized_keys - is my server compromised?
The dokku documentation says:
Warning: If you don't complete setup via the web installer (even if you set up SSH keys and virtual hosts otherwise) your Dokku installation will remain vulnerable to anyone finding the setup page and inserting their key.
If you did not do this, someone (probably using an automated scanner) found this link and put in their own keys.
Unfortunately, I do not know enough about dokku to tell you if this definitely means your system is compromised, but I would definitely be very suspicious that this is the case.