If you're willing to rely on an online service (and don't mind one that is pretty picky), the DNSSEC Checker will warn (among other things) about zones that don't use NSEC3.
To check by yourself, simply query a non-existent domain and look for either an NSEC or NSEC3 resource record in response. An example query would be dig +dnssec -t any xyzzy14.sdsmt.edu
(for a zone using NSEC3) or the same query at xyzzy14.berkeley.edu
to see NSEC records.
Also, note that NSEC3 does not fully protect DNS zones from being enumerated. Indeed no DNS server has ever been immune to that, since attackers can always do a dictionary attack by just querying for names they think might be there. Use of NSEC3 allows an attacker to speed up the dictionary attack and do it more privately offline. They retrieve all or most of the NSEC3 records by querying for non-existent domains, and thus get the hashes of all the hosts in the zone. They then do an offline brute-force attack on the hashes. Tools even exist to do that, e.g. nsec3walker. But NSEC3 is still much harder to enumerate than NSEC, and you can set the iteration count for the hash to a high value if you want to make it more expensive.