Get Off Those Maliciously Loaded Scripts!
Download this free Anti-Malware Plugin for WordPress.

I had a very similar intrusion where the scanner did not detect a hidden user in the database.

I only became aware when my main theme updated, removing the malicious code, and the number of admin users showing in the WordPress admin panel became correct.

In addition to trying to detect the malicious code, could you add a check for ‘hidden’ users to the plugin? Perhaps use a number of different methods to check the database for admins and report any difference in the count results.