The first script creates a new, local account with administrator priveleges and stores its randomized password in an accessible location. The second script takes it all away again.

Add-PowerUser.ps1

<#
    .SYNOPSIS
    This script creates a new, local account with administrator priveleges and stores its randomized password in an accessible location.     

    .DESCRIPTION
    This script was developed to make sure power users have a seperate, local account to be used for elevated operations. 
    Please visit https://threeisacloud.tech/power-to-the-user/ for more information. 

    Configuration is done via the (few) variables below. I assume they are self-explanatory.

    .NOTES
    Author: Niels Scheffers <niels.scheffers@etesian.nl>    
    Last modified: 2022-03-09    
#>
$userName = 'poweruser';
$userFullName = 'Power User (elevation account)';
$userDescription = 'Elevation account provisioned for power user.'; # Specify the account description. This cannot contain more than 48 chars. This input is _not_ validated. 
$passwordLength = 16; # Specify the length of the random password.
$passwordMinNonAlphaChars = 2; # Specify the _minimum_ number of non-alphanumeric characters the random password must contain. 
$passwordFile = 'C:\PowerUser\HiPowerUser!.txt'; # Specify the location and name of the password file. This path will be created if it doesn't exist. The file will be overwritten if it exists. 
Try {
    if (Get-LocalUser -Name $userName -ErrorAction SilentlyContinue) {
        Throw "User '$($userName)' already exists.";
    } 
    Write-Host "Adding user '$($userName)'...";        
    Add-Type -AssemblyName System.Web; # We need to add this for the line below. Does not work at all in PowerShell Core, as .NET Core does not support System.Web. 
    $password = [System.Web.Security.Membership]::GeneratePassword($passwordLength, $passwordMinNonAlphaChars);
    $user = New-LocalUser $userName -Password (ConvertTo-SecureString -String $password -AsPlainText -Force) -PasswordNeverExpires -FullName $userFullName -Description $userDescription;
    
    Write-Host "Adding user to 'Administrators' group...";
    $localAdminGroup = Get-LocalGroup -SID 'S-1-5-32-544'; # Look up the .\Administrators group by SID. This prevents screw-ups when the group has a different name. Yes, I'm looking at you, French language. :)
    Add-LocalGroupMember -Group $localAdminGroup -Member $user; 

    Write-Host "Storing password in '$($passwordFile)'...";
    $passwordFilePath = Split-Path -Path $passwordFile;
    if (-not(Test-Path -Path $passwordFilePath)) {
        New-Item -ItemType Directory -Force -Path $passwordFilePath | Out-Null;
    }
    Clear-Content -Path $passwordFile -ErrorAction SilentlyContinue; 
    Add-Content -Path $passwordFile -Value $password;
    Exit 0;
}
Catch {    
    Write-Host 'Exception encountered:';
    Write-Host $_.Exception.Message;
    Exit -1; 
}

Remove-PowerUser.ps1

<#
    .SYNOPSIS
    This script removes any local account matching the configured username. 

    .DESCRIPTION
    This script was developed to make sure power users have a seperate, local account to be used for elevated operations. 
    Please visit https://threeisacloud.tech/power-to-the-user/ for more information. 

    Configuration is done via the (single) variable below. I assume it is self-explanatory.

    .NOTES
    Author: Niels Scheffers <niels.scheffers@etesian.nl>    
    Last modified: 2022-03-09    
#>
$userName = 'poweruser';
Try {
    if (-not(Get-LocalUser -Name $userName -ErrorAction SilentlyContinue)) {
        Throw "User '$($userName)' doesn't exist.";
    } 
    Write-Host "Removing user '$($userName)'...";        
    Remove-LocalUser $userName;
    Exit 0;
}
Catch {    
    Write-Host 'Exception encountered:';
    Write-Host $_.Exception.Message;
    Exit -1; 
}