I don't think it's a good question, or rather I don't think the answer and its explanation fit the question as stated.
The explanation says "Theodore confirmed the user was not in the database" clearly intending to say repeat what the question said, and the reasoning that delivers the answer is clearly based on that. But what the question says is "first confirming the login exists on the instance and then finding that it does not exist in the database" which says nothing about the user, so we can't deduce from the question that the user in was absent from the database. The fact that someone made an unauthorised change to security is clearly stated, and that unauthorised change could easily have ended up with this username being orphaned (if someone accidentally deleted the login instead of some similar-looking login-name, realised their mistake, and thought that recreating this login and deleting the one that was supposed to be deleted would fix their error, teh user being oprphaned is exactly what would have happened: that seems more likely than someone coming along and deleting the user, while leaving the login alone, and not realising that they'd deleted the wrong user (because the fact that the right user was still there instead of deleted would surely be noticed, and then they would have recreated the wrongly deleted user).
If the question had actually said what the answer and its explanation clearly indicate that it meant, instead of something different in a crucial detail, it would have been a good question. As it is, the question and the explanation don't match, a different answer is the more likely one of the two possible answers to the question as stated, and almost twice as many people have chosen that mst probably correct answer as have chosen the one erroneously claimed to be the only correct answer.