You can encrypt a Mac without a secure token now but you are correct that an admin account requires a secure token to edit the EFI security settings.

Here's a link on secureTokens not being totally necessary to enable FileVault anymore: https://travellingtechguy.eu/mojave-10-14-2-and-secure-tokens-it-works/

I haven't messed with NoMadLogin in a while, I believe it will happily create just a standard user account unless you specify in a profile/plist that you want that user to be an admin. That might be the cause of that "No administrator was found" message.

I'm not so sure about 10.14.2 and up not requiring a secureToken to encyrpt the Mac. On our setup, we have a PreStage enrollment that creates a local techsupport account for our site techs. Normally, I would advise the techs not to sign in as techsupport and have the end user sign in first in order for them to get the secure token first and that user usually is forced to encrypt the Mac with a policy that includes our institutional key.
On these T2 MacMini's I still find that is the case. If I log in as the local techsupport account first, the end user is unable to encrypt their Mac. I have to issue a secureToken to them with the techsupport account after they log in. I can workaround the “No administrator was found” in the Startup Security Utility as I can disable the EFI password with Jamf Pro or the firmwarepasswd command.
The bigger issue is when I have to decrypt the Mac due to the end user forgetting their password or something caused it to change without their knowledge. If I go into the recovery partition and I don't log in as the techsupport account first, I am unable to open Terminal to decrypt the device with the institutional key because I will get the “No administrator was found” error.

@sshort Thanks for that article!!! From that I was able to figure out that "diskutil apfs updatePreboot /" updates the accounts that appear at preboot.

The only other issue I still have is getting the local techsupport account to show up on preboot without resorting to the first user to issue a secureToken.

I'm having this issue in Big Sur. Our PreStage enrollment creates a hidden local admin account on the machine. Our users are AD bound mobile non-admin users and are the first to login. They get the security token. I'm unable to turn off startup security as I get the no admin found. On a test machine I elevated a standard user to admin and then granted a security token to the local admin account. I booted back into the recovery partition and the issue persists. I tried "diskutil apfs updatePreboot /" as well as making the local admin account unhidden. I can't find anything that works.

I have the same issu. Big Sur Pre Stage Enrollment with hiden local admin. The users are local with jamf connect. I am not able to deny the Start from external devices.

Of the three machines I'm testing, I was able to elevate the standard user and issue the secure token to the local admin. However, only on one of them does that local administrator account show up in the recovery partition under boot security after issuing the security token.

Update: logged in as a user and removed admin rights from my local admin account - rebooted - logged back in as a user - elevated local admin account back to admin - rebooted - logged back in as user and confirmed security token on local admin account - rebooted into recovery partition, my local admin account now shows up in Startup Security. Not a workable solution long term but it gets these few machines that I've already deployed working.