What is accessible to an attacker who has reset my administrator password?
Solution 1:
If FileVault is enabled, booting into single user mode requires a password, so neither of the methods for resetting the password in single user mode work.
As others have mentioned, resetting the login password doesn't reset the password of the login keychain. I tried resetting the login password a few months ago. I could access most files normally, but not my account in Mail.app or auto-filled passwords in Safari. But I could access my Gmail account from Safari because I had set it to log in automatically.
The login password (but not the password of the login keychain) can also be reset with an Apple ID. There's a checkbox for allowing that when creating an account. I think it was checked by default. The option can be disabled later in the Users & Groups preference pane. If the option was enabled before you turned FileVault on, you cannot disable it without turning FileVault off and back on. See Michael Tsai - Blog - FileVault 2’s Apple ID Backdoor.
1. Are all user accounts still present?
Yes. And all of their passwords can be changed separately, or from the Users & Groups preferences after logging in to (or creating) one adminstrator account.
2. Are all keychains still present, or are they reset or cleared as part of the password creation process?
The keychains aren't removed, but the login keychain isn't unlocked automatically after the login password is reset.
3. If the keychains are still present, does the (new) administrator have access to the contents of existing keychains.
Not without knowing their passwords.
4. Are any files (other than keychains) erased or reset as part of the process?
I don't know, but you can access most files normally.
Solution 2:
If someone has your administrator account, everything on the machine is accessible to them. People in IT Security circles say "Physical access = Total access".
Keychains can only be unlocked with the keychain password. If an account password is changed/updated without being logged into the account AND having the relevant keychain unlocked, the keychain password doesn't change.
Meaning, someone could get access to your account perhaps, but not your keychain, without the original password. The account and keychain passwords fall out of sync with one another.
FileVault protection similarly, will remain in place until unlocked using the correct password. I don't believe having root access on the machine allows you to unlock the keychain or the file vault account without the relevant passwords.. that's the whole point.
Of course, theoretically a hacker with godlike skills, patience, and knowledge could manually edit the relevant passwd files to be whatever he/she wanted it to be (if they had root access), but the probabilities of this happening is somewhere between zero and nil.