Here are some tips for unmasking a site hosted behind CloudFlare. YMMV as I have not yet tested these.

Find an email-me page on the site and see if you can get it to send you an email. If the email isn’t filtered thru internal engines, you might be able to tell what the server’s IP address is.
SecurityTrails can search domain history.
NetCraft Site Report contains a domain history.
Mnemonic’s Passive DNS Search Engine may contain a domain history.
CrimeFlare might have a record if the DNS was use for criminal activity, phishing, etc.

Credit where credit is due…

Find The IP Address Of A Website Behind Cloudflare
Resolve CloudFlare IP Leakage