admin@System-Domain - vSphere 5.1 SSO admin account with Domain name
administartor@vspehre.local - vsphere 5.5 SSO admin account name with Domain vSphere.local (not changeable)
administrator@vsphere.local - vSphere 6.0 SSO admin account name with default domain vSphere.local (changeable during deployment of PSC)
since vSphere 5.5, SSO created it's on LDAP database to keep user/group accounts info etc... you will be using this default SSO admin account to do initial administration of SSO like adding more identity source (AD/OpenLDAP). and If you wish you can delegate SSO admin privileges to other accounts too. All you got to do is make those additional accounts member of a group called Administrators within your SSO users/groups section.
I wouldn't say using default domain name vSphere.local is bad practice but it's just that if you wanted to customise the name of it, then you weren't able to do it in version 5.5, but in latest version a bit more control is with us. Setting password of SSO admin as complex as possible would be the only advise as that account has full control on your VC inventory by default, but access and authentication can be modified quite easily by creating roles as per your requirements and assigning permissions accordingly.