@hopsakee I did the same thing, and no suspect file… is very wired because the only thing was to create admin account. I suspect database, maybe they set something there…
Next you can try to delete all plugins and reinstall it from WordPress, and if you have a backup older than February, replace theme files and delete unused themes/plugins.
If your WordPress is up to date, reinstall it (you can delete wp-includes and wp-admin directory , download WordPress zip same version and upload this folders manually in FTP to be sure this folders doesn’t contain another PHP files.
Also check root of site for files not related to WordPress and replace it with files form official zip.
Block execution of PHP files in uploads.
I did not find any suspect files until now, only files and plugin used to create new admin accounts.
