Creation: Users are created in AD upon initial kerberization, as well as adding services, or hosts to the cluster. A test principal is created during the wizard to test the kerberos client configuration and operations, as well as all of the appropriate principals for the services that are deployed in the cluster. During that process, passwords are generated and set in Active Directory. Those passwords are not permanently stored in Ambari and are only used for keytab generation.
Update: Post-wizard completion, the principal regeneration process will regenerate and set those passwords in AD.
Deletion: During removal of services, or hosts, or disabling kerberos, the appropriate principals are removed from AD.