WPA2 is pretty hard to crack, but in all likelihood it's not WPA2 that's been cracked.
Make sure that WPS is disabled and the make sure the router is on the latest firmware (WPS has a known vulnerability that makes it trivial to bypass the security)
Make sure that the access point name is not the default name, the AP name is often used in the hashing mechanism for the WPA2 security and there are lookup tables to allow people to quickly figure out the password (rainbow tables), changing the AP name to something non-default will likely prevent their use.
Make sure you are using WPA2-PSK AES only not one of the combined WPA & WPA2 or TKIP encryption methods.
Change the AP password to something long (more than 12 characters should do it). Make sure you use a combination of character sets, upper case, lower case, numbers and some special characters.
Disable UPNP too.
If someone is still getting on the network after that, then they are probably getting in through something other than the wifi.