I can recommend a few steps, although most are outlined on our website so it's more of a personal recommendation.
Someone constantly attempting to reset your password would push me towards believing that they have or have had e-mail access in the past. Keeping it somewhat in the order of what I recommend, I'd do the following if it were my account.
For whichever e-mail provider you use, I would Google "inbox rules" and make sure you have none enabled on your e-mail account. I would then look at e-mail forwarding and make sure that there are none you do not recognize. Hijackers tend to apply one of the two mentioned above as it means that they can still technically access your e-mails without having access to your e-mail account.
Once you've confirmed that none of the above are true, I would log into your account on the Runescape website and look at "linked accounts". Make sure there are none there that you do not recognize. People link Google or Steam accounts to bypass the need for an authenticator and password, even if they have been updated.
Finally, I would change the password for your e-mail and Runescape account and re-add a new authenticator to both accounts. This eliminates any access to the current authenticators (if any) on the account.
Again, some of the above is recommended on our support pages but a little is also personal recommendation. Hopefully this assists with keeping your account secure.
Also, if by some chance those e-mails aren't from Jagex (generally they'll mention some random e-mail address in the e-mail message which makes it more obvious that it's a phishing attempt) you can create an inbox filter that filters out e-mails that have that specific e-mail address in the message text. They change it frequently, but it prevents phishing e-mails from that person for a while.