In the EC2 console, in the navigation pane on the left, click Network Interfaces.
Everything with an IP address -- EC2 instances, ELBs, NAT Gateways, RDS instances (to name some of the more common ones) has at least one virtual NIC called an Elastic Network Interface (ENI).
Each ENI typically has a primary private IPv4 address and may have one or more secondary IPv4 address.
There should not be anything with an IP address in your VPC that doesn't appear here.
The exception is the unavailable and reserved addresses, which aren't shown. The all-zeroes "network" address and all-ones "broadcast" address are unavailable by the rules of subnetting, and the network address +1, +2, and +3 (.1, .2, .3 in a /24), are reserved by the VPC infrastructure. This (256 -2 -3 = 251) establishes the baseline maximum available for /24 networks of 251 addresses.
The missing address in your configuration would presumably be your NAT Gateways, but in any event you should be able to find it under Network Interfaces.
An ELB under light load will also establish 1 ENI in each subnet where it is configured. If the ELB automatically scales up (out) significantly under load, it will need to establish more ENIs, and this is one important reason not to size your subnets based only on the forecasted number of instances.
Possibly worth mentioning: the peering addresses for VPC Hardware VPN and AWS Direct Connect are assigned from the IPv4 Link Local address space 169.254.0.0/16. These connections have access to but are not actually "on" any VPC subnet, so they don't consume any addresses from your VPC's private address space.
