This will be only a partial answer (but your question can only be fully answered with an Orchard module...):
Yes, this is possible and indeed there is no built-in or easy way to do this. What you could do is to use one of the tenants as a master user store (as you also described) then the other tenants would query this master store (which can be done as cross-tenant DB queries, see this Orchard Dojo article) when needed. The easiest way is to actually sync down the necessary accounts (i.e. User content items) to each of the tenants, since all the tenants use the same user storage mechanisms.
Another way would be to utilize SSO with an external identity provider (which you can run yourself too, like with IdentityServer). This would be a slightly different approach than what you've described. It has different advantages but I'd say it's equal level of effort (though there are several Oauth-using authentication modules out there that you can use for inspiration).
I've actually done the first approach with a module suite called Federated Login. We use these modules at Lombiq (my company, see my profile) to provide federated user accounts for our own websites (consisting of multiple tenants in multiple distinct applications). Since the modules are closed source I can't point you to them but if you're interested get in touch with us.
