When you authenticate, all you have is username and password, you don’t typically know yet whether they are admin users or not at this point. I’m assuming you’re using the ‘authenticate’ filter to do authentication. If you are not, you should.
You could let WP first try to authenticate. If successful, they probably are admins. On success your ‘authenticate’ callback will receive the user object, so it’s easy to verify if there’s any doubt. If WP fails to authenticate, you’ll receive an error object instead, along with username and password. You can reasonably assume they are not admins and attempt the remote authentication. If that fails, just return the Error object. If remote authentication succeeds, you’ll need to get some sort of WP_User object to return.
I suppose it is possible to use a generic user account for this, but then you need to prevent that user from doing things to the account like changing passwords. This can get complicated and maybe introduce security holes. I think you’re better off with a WP user account for each remotely authenticated user. It’s just that the locally stored password hash has no meaning, the true password authentication is remote. You can get a user object to return from the authentication callback without a valid local password, as long as the remote process succeeded.
