By and large, you shouldn’t have to track orders or authorizations at all. Your client should make detailed logs, but you don’t need to keep a database of orders or authorizations. If you look at how most ACME clients are implemented, they probably just use the order and authorization information given by the ACME server in the moment, and don’t save it permanently.
For a high volume, automated implementation (e.g. a web hosting company), it might be worth tracking failed authorizations and orders. So that, for example, if a customer’s domain expires, you might automatically stop trying to renew their certificate. (For a low volume implementation, you can just have sysadmins manually investigate things, and the data store doesn’t need to be very clever.)
And you may want to at least temporarily keep track of pending authorizations to avoid the pending authorization rate limit – under normal circumstances, the only pending authorizations on your account should be for certificate requests that are actively in progress. But depending on your client’s error handling (like if one challenge fails) – or if something worse happens like the computer coincidentally crashing while the ACME client is running – and how many certificates it tries to get in parallel and in what order, you can leak enough pending authorizations to eventually run into trouble.