Yes, that is a little odd that non-WordPress accounts are getting infected too, unless the owner of the files also owns WordPress sites on the server. Depending on how your web server is set up, the web server process may also have access to write to any user's files, which could be part of the problem too, if that is the case. (Often, mod_suphp or mod_ruid2 in Apache are used to prevent that, but there are other ways too.)
-Matt R