Do actual penetration testers actually use tools like metasploit?
As far as forensics is concerned, Metasploit have payloads which are specifically designed to make the work of forensic analysis more difficult. For example, the most famous payload which is selected by default with a lot of exploit modules is the meterpreter payload. It completely runs in-memory and don't touch the disk for any operations (unless specifically asked by the user). Which means there will be no evidence in the prefetch folder or any other place on the disk.
You don't have to clear all the event logs. You can selective clear any event log you want through the meterpreter script event_manager.
Meterpreter has a tool called timestomp which can change the modification, access, creation, and execution time of any file on the hard disk to any arbitrary value. You can securely wipe out any file with the sdel (safe delete) module which not only securely wipe the file contents but rename the file to a long random string before the deletion which makes the forensic recovery of not only the contents but the file meta data very difficult as well.
Now comes to your second part of the use of Metasploit by actual malicious attackers in real world attacks. There have been reports that Metasploit was used in one of the attacks on the Iranian nuclear facility. The reason you don't see Metasploit more often is due the open source nature of the product. Since the exploits and payloads are available to everyone, by default every security product such as antivirus, IDS/IPS etc consider these files as malicious. The defense industry has gone to an extent that even if one create a completely benign file with Metasploit, it will be detected by almost all the AV solutions. Generate an empty payload like:
echo -n | msfencode -e generic/none -t exe > myn.exe
Upload it to VirusTotal and you will see that more than half of the AV solutions detect it as malicious. More details can be found on the Matt Weeks' blog here.
With this behavior no attacker will risk using Metasploit for actual attacks due to the very high detection rate. The modules can be easily customized and bypassing AV and other security controls through Metasploit is quite easy as well. However, at that point it is difficult to determine if the payload is written from the scratch or the Metasploit module has been modified. Therefore, it is difficult to say for sure how many attackers have used or continue to use Metasploit in their operations.
I don't know about malicious attackers/hackers, but I do know several pentesters (myself included) that include Metasploit in their toolboxes. It's by far not the only tool used, but it certainly has its uses. That being said, your question seems to be about "covering your tracks" which is naturally something more useful to the malicious attacker. On my pentest engagements, we rarely tamper with logs, except when detecting log tampering is one of the "blue team" goals. (Then we do it to see if it gets detected.)
Yes, pentesters do use Metasploit. With custom exe templates and shikata_ga_nai, you are able to fool nearly every AV solution (Google for AV evasion to learn more about this) and the meterpreter payload is really handy to escalate privileges in Windows domains.
That being said, Metasploit is only one tool of many and a good pentester should know and use the right tool for the right task.
Clearing specific entries out of the event log might come in handy for a pentest when the goal is to be undetected and fool SIEM systems. However, just because this feature is missing from Metasploit (as of now) does not mean that you cannot use all the useful modules that are already there.
Regarding custom toolkits, I would imagine that it would be more effective to fork Metasploit or to simple just write your own post-exploitation modules (like selective event log deletion).
That's the beauty of open source software.