This MacOS-focused anomaly rule detects the creation of a new local user account on macOS endpoints by analyzing osquery-generated process events. It leverages the Endpoint.Processes data model to identify commands and utilities historically used to create or provision accounts, including sysadminctl with -addUser or createhomedir (-u), dseditgroup with edit or -a, and dscl with -create. The detection returns contextual fields such as destination host, original file name, parent process, and process details (name, path, executable, hash, IDs) along with the initiating user. The rule relies on the macOS_account_created_filter and secure time-anchoring macros to normalize timestamps. This approach enables SOC teams to spot potentially unauthorized provisioning that could be used for persistence or lateral movement. The rule is designed for Splunk deployments with OSQuery integrated via the TA-OSquery to populate the data models across indexers and forwarders. When a match occurs, the alert’s remediation context includes a risk-based alert (RBA) message that attributes the event to a specific user, host, and process, and maps to MITRE ATT&CK technique T1136 (Create Account). The rule provides drilldown searches to view per-user/per-destination results and to review related risk events for the past 7 days, supporting rapid investigation and correlation with other detections and risk signals. Known false positives arise from legitimate administrative workflows that create accounts during onboarding or maintenance, and should be tuned per environment. References cover macOS process auditing and common account-management utilities to aid validation and remediation.