What I am trying to achieve is to look is there any zombie user or group created by external attacks.
To do that you need to know what should be there; that's the admin's job.
You can't (usually) just point to a random entry and say that's definitely 'bad' just by the name alone.
What you should have is backups going back some time; extracting the same files and looking for changes may give some hints, but ultimately the admin needs to know (ie keep track of) what has been installed, inc users.
There's no easy answer...
See also the Security forum here and the rkhunter, chkrootkit tools etc .