Yes Protect is the only user that is created specifically within the database, you could call it something else, but the best practise is to leave it called Protect as there are a number of scripts and elements that look for the user to be Protect.
Make a note of your SYS user too as this is the super user for the database, basically the equivalent of SA if you are from a SQL background.
Enforce console users are created locally, even if you have AD authentication switched on. You can create the identical name for the AD account in Enforce locally and then when you use it to login it will dynamically reference LDAP for the password for your account. Hence why you will only see the option to add the AD username in Enforce.
Hope this helps