EFS encrypts files with a random file encryption key (FEK) and encrypts that key with a RSA key belonging to the user ... this RSA key ist protected by DPAPI ... if the system is setup with a key recovery agent, the FEK is also encrypted for the RSA key of the key recovery agent (this might be the local admin, but can be changed, even to no key recovery agent)
if the local admin changes the password of a user, their DPAPI master key is left untouched, still protected by the old user password ... changing the password won't give you access to the DPAPI master key, and therefore won't give you access to the users private RSA key ...
if the station is member of a domain, the domaincontroller will have a decryption key that will allow decryption of a DPAPI master key ...