On the Dashboard's Users page, scan your privileged users for suspect additions. Maybe there's a new Administrator, else an additional Editor, and so on. Delete those, but be aware that, sometimes, this check isn't thorough enough.

The foolproof method is to pop open your database, say again with phpMyAdmin and, substituting the three mentions of the wp_ prefix for any bespoke prefix you may have, run this query from the SQL panel:

SELECT u.ID, u.user_login
FROM wp_usermeta m, wp_users u
WHERE m.meta_key = 'wp_user_level'
AND m.meta_value = 10
AND m.user_id = u.ID

By clicking on Go, your Administrators are listed if, as is the case here, that role is specified with the value of 10 in AND m.meta_value = 10. Repeat the process for Editors with a value of 7 or, for Authors, using 2. For the record, Contributors have a value of 1 and Subscribers, doubtless without prejudice, get a big fat 0:

Here, we've got two Administrators with ur-d00med-m8 looking decidedly shady. We can see that the user has an ID of 9 so, again by clicking through the SQL tab in the menu, we run the query we see in the screenshot:

Bear in mind that, if a hacker got this far, there could easily be a backdoor somewhere in your files and, while the Exploit Scanner may have thrown that or those up, it would be prudent to wipe and replace the web files. Talking of which, here's the big stuff ...