Find out what 'apt-get install' did

You look at the post-installation script, which is actually run by dpkg. You can find these in /var/lib/dpkg/info. Such scripts contain the name of the binary package in question, and have the suffix .postinst.

Note that there are also pre-installation scripts, which have the suffix .preinst, but I think that a package is much more likely to create a new user in a postinst script.

Did you have a particular example in mind?

An example is postgresql-common, which creates the postgres user. Here is an extract from the file /var/lib/dpkg/info/postgresql-common.postinst.

   # Make sure the administrative user exists
    if ! getent passwd postgres > /dev/null; then
        adduser --system --quiet --home /var/lib/postgresql --no-create-home \
            --shell /bin/bash --group --gecos "PostgreSQL administrator" postgres
    fi

What apt-get install does is executing dpkg -i on the packages.

To find out what a package does while installing you have to unpack it. Look in /var/cache/apt/archives/ if your package is still there.

Inside the package is a data archive (data.tar.gz) and a control archive (control.tar.gz). Inside the control archive is a script to execute after the installation (postint) and one to execute after deleting the package (postrm). Open those scripts in an editor and see what the installation process does.

To unpack the package:

ar x package.deb

To unpack the control archive (after unpacking the package):

tar xfz control.tar.gz