A customer of mine just had the same hack, the user “badmin” logged in (as reported by WordFence) even though that user is not listed as a WordPress user. Can you tell me what plugins you’re using? Perhaps we have a plugin in common that is acting as the backdoor.
