I think Chaitu has the right idea here. There's a variant of the New-NaUser cmdlet where you can use the credentials as saved by WFA without requiring decryption. Note this version of calling the cmdlet:
New-NaUser -Credential <PSCredential> [-FullName <String>] [-Comment <String>] [-Groups <String>] [-PasswordMinAge <Int64>] [-PasswordMaxAge <Int64>] [-Controller <NaController>] [-WhatIf] [-Confirm] [<CommonParameters>]
A PSCredential object containing the Username for the new user to be created along with the Password to be used for the new user.
So, changing the Day-0 example command for creating a new user to something a little more secure would start as Chaitu stated by creating a dummy entry in the WFA cache to hold the user and password encrypted. Then load the credentials into a variable as Chaitu stated, $NewUserCreds = Get-NaCredentials -Host $DummyHost
After that, assuming you're modifying the example command I posted, you could do something like this:
if ( $options.Length > 0 )
New-NaUser -Credentials $NewUserCreds $options -Groups $Groups
New-NaUser -Credentials $NewUserCreds -Groups $Groups
And, you're right. This would be a more secure form of the command.