If a user is deleted all it's private permission knowledge objects will get deleted too. I recommend an alerting app context. Have your alerting service account save all alerts there and with shared in app permissions. Once a knowledge object is shared beyond private it will NOT be deleted when the user account is. The account needs permissions to all indexes for the searches it will run. If it is going to use the Splunk encrypted password endpoint for any custom search commands etc then it also needs the Splunk capability "admin_all_objects" which is full admin/god level control of Splunk.
You could let users make but not schedule searches. Then establish a "move to production" process where you copy or edit the meta data file owner of the knowledge object to your alert service account where you then schedule it.