If someone is able to add themselves as an administrator, they have obtained access credentials that they should not have, such as FTP, control panel, WP admin, or mySQL. Scan your computer to ensure there is no key logger or other malware, then change all of your passwords mentioned above. Either delete other admin users or ensure their passwords are changed. Obviously, delete the spammer's account after recording his IP address. Consider changing the salts, this will invalidate everyone's current access cookies, forcing everyone to login again the next time they request a restricted page.
You can try blocking the IP in .htaccess, but since many users are assigned dynamic IPs, this may not help and could block an innocent user. You can also add the domains or brands he is advertising to the discussion blacklist.
If that doesn't work, you have been hacked and they have placed a back door somewhere. In that case, follow the steps in FAQ My site was hacked