Last Tuesday Joomla published version 3.6.4, an update to patch security issues:
High Priority — Core — Account Creation (affecting Joomla! 3.4.4 through 3.6.3)
High Priority — Core — Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3)
Securitycheck Pro protects against this threat. A couple of versions ago I added a feature to forbid new administrative accounts (Web firewall configuration --> User session protection --> Forbid new admin accounts):
Just enable it and no new administrative accounts will be allowed.