Don't forget to make sure to set Group Policy up for these accounts as you see fit, and if need be, set up Proxy accounts also.

Personally, I tend to make sure they're on the lists for:

Act as part of the operating system

Adjust memory quotas for a process

Bypass traverse checking

Lock pages in memory

Log on as a service

Perform volume maintenance tasks

Replace a process level token

Some of the above were from working with proxy users, as well, and may not be required for you. I understand there is some debate about Lock pages in memory, as well.

Note that one account gets one and only one password - use a different account username for Prod than you do for QA as you do for Dev.

For passwords, they're service accounts, set and forget, so make them insanely long, complex and random, then copy/paste them in.

I disagree about disabling account lockout - I'd rather have the security in case some tries a dictionary, hybrid rules based dictionary, or even pure brute force attack. If you can manage to keep the username/passwords secret, and only use one per machine/environment, then you shouldn't have much to worry about them being locked out by other employees.

As mentioned above turn off the "log on as a user" right, and definitely don't make them domain admins or local admins, so they're not as useful to a hacker, and not as tempting to other employees to use as shortcuts.