@Jesse You can track that activity to find who created the local user account and then check on that particular server/machine to see what kind of processes are running there. they might or might not have the need for that. normally any service account created by any process would not get deleted and should have valid reason for its existence, I would start from this event logs : https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
Where Account Name [Type = UnicodeString]: the name of the account that requested the “create user account” operation.
-----------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.