All I read when it comes of detecting a man in the middle attack is that the ARP cache table will have duplicated entries for the attacker MAC address, but I can't find the reason why.
The way I think it is (because one is the faked one and the other the normal ARP response) leads me to think: supposing I'm the attacker, would it not be as easy as not sending the real ARP response, but only the fake one?