This rule is designed to detect the creation of new local user accounts on macOS systems. The creation of such accounts can indicate potential adversarial behavior, particularly if they are established to maintain persistence without the need for traditional remote access tools. The detection logic uses two primary methods: monitoring the execution of the `dscl` command with a command line containing 'create', and the execution of `sysadminctl` with a command line containing 'addUser'. The condition for triggering an alert requires that at least one of these patterns is matched. This rule aids in identifying unauthorized account creation activities that could compromise system security.