Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.
In macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in
Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex:
sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. 
In Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via Reg or other means) that will hide the user "test" from the Windows login screen:
reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.
|M1028||Operating System Configuration||
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the
|ID||Data Source||Data Component|
|DS0002||User Account||User Account Creation|
|User Account Metadata|
|DS0024||Windows Registry||Windows Registry Key Modification|
This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, "hidden" users may still get a home directory and will appear in the authentication logs.
Monitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList key.