Script check_sys_grants checks only user_sys_privs. Problem is that on some oracle configurations sys privs can be also configured via roles (view ROLE_SYS_PRIVS).

Original code for getting sys privileges (from user_sys_privs)
minus (select privilege from user_sys_privs union all select replace(privilege,' ANY ') privilege from user_sys_privs)

My proposal is to union also view ROLE_SYS_PRIVS, because on my configuration there are some privileges which are provided via role.

minus (select privilege from user_sys_privs union all select replace(privilege,' ANY ') privilege from user_sys_privs union all select privilege from role_sys_privs )

Source views for SYS privileges:

• user level
  select PRIVILEGE from user_sys_privs
• role level
  select PRIVILEGE from role_sys_privs

l_version=12.2.0.1.0
l_compatibility=12.2.0