Since r61917 (3 February), running the api tests have been creating a user called 'Useruser' which initially had a random password. r72475 (6 September) screwed up by using a hardcoded pasword. Since it wasn't too bad for wikis allowing account creation, r74118 (1 October) made that user a sysop. Finally, r74213 (3 October) split it into two users.
I added in r75588 a feature to block weak passwords, which will disable them. In r75589 I reverted to random password users and renamed them so that they a) Are much more unlikely to conflict with any human account creation. b) It is clear where did such sysop come from.
Sadly, we can't add them to $wgReservedUsernames without breaking the tests.
Any user having run 'make destructive' in the last two months should update to r75589 inmediatly. They are also encouraged to desysop and block the accounts 'Useruser' and 'Useruser1'. They are only at risk if that install is publicly accessible, though.
Users not running MediaWiki from trunk or which haven't run the phpunit tests are unaffected.