the plain text password is not stored in Oracle. It is discarded as soon as the password's hash is created.
Oracle does not store passwords in files. They are stored like all other data ... within a table within a relational database. When you create a user with a password, Oracle performs a one-way hash of the password and stores this value in the table. I'm not going to tell you which table, because working on that table can corrupt your database. Instead, use view DBA_USERS. For example, select username, password, account_status from dba_users. The password column shows the hashed password, not the plain text password.
technically, to answer your question, the "file" is the datafile(s) supporting the system tablespace. for example, /oradata/orcl/system1.dbf. You can't edit that file, but you can use search tools to see if values are contained in the file. As a test, create user george identified by wbush. Then go to your file manager and perform a search (in windows just press F3 to open the search box) and tell it to scan file system*.dbf for string wbush. I bet you don't find it! passwords are hashed, and the original string is discarded / never stored anywhere.
For users who log into Oracle as SYSDBA from a remote system, there is a password file named pwdSID.ora in your %ORACLE_HOME%database folder (or $ORACLE_HOME/dbs on unix.) This file stores the names of users who have been granted SYSDBA privs, but is only useful if your init.ora file has remote_password_loginfile=exclusive, which is not set by default.