I’m not familiar with Sysprep, but I’ll share with you my workflow:
Boot into recovery or off of a macOS install drive (I have a partition on my MDS deployment drive with the most current Mojave installer), run MDS-built configuration which:
- Installs latest macOS (downloaded via Greg Neagle’s excellent installinstallmacos.py script).
- Creates a local administrator account with an ID <500 & hides it (doesn’t show if login is set to display users)
- Installs apps (either packages or full apps)
- Sets system level preferences/profile
I could just as easily add a “standard” account in addition to the admin account created in step 2 for testing, then delete it via that local admin account.
I’ve found that having a local admin account has saved my sanity more than a few times. And if you want to execute a password change to existing local admin accounts, there’s scripts to do so (just create a package with a post install script and deploy that with your favorite tool).
Tim’s idea of using APFS snapshots sounds interesting, but, for the moment, just execute a script to clean up your temporary account & data, which is what it sounds like you’ve been doing, just from the hidden admin account.