That sounds easier than it really is.
I once found a root cron job that ran a script that was about 100 lines long. That script called another script that was close to 1000 lines long. The admin hid a call in that script to call a third script. That third script would check the time and the accounts, if it was between 00:00 and 02:00 GMT and his account was not in the system it would add the account with root privileges. When 02:00 came around it would delete the account from the system.
So basicly between 00:00 and 02:00 GMT he could access the system with admin privileges and do whatever he wanted. I only noticed it because I saw a login at 00:30 by an account that did not exist. I almost missed it because it was called deamon and when scanning the logs you can dismiss it as the daemon account. It took me days to find where the add and delete user account commands were hidden.