In the user guide for for Create a User it shows a JSON body for the post as including id, firstName, lastName, and email.
However the REST call itself lets you specify the password as well (and the legacy call also let you do this). See the relevant code.
It might also be worth noting what happens in the system if a password isn't specified during creation. check_password will always fail. Not sure if there are any other implications.
Also, unlike Update a User above it, it doesn't mention that id is the only required field to pass into create.