My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in
visudo NOPASSWORD=ALL
So how can I find out the root code do it and remove them forever?
Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.
If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.
You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).
You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.
Related questions on other Stack Exchange sites:
