An example filter:
action == 'createaccount' & accountname contains 'test'
with "block" as option for when the rule is matched results in AbuseFilter blocking the underlying IP creating the account but not the account itself.
I think that it'd be a better approach if AbuseFilter let the account being created, and after creation AbuseFilter did blocked the account.
This will also prevent the abuse log to expose the IP addresses of accounts being created. A bad faith or misconfigured edit filter could be set to collect all IP addresses of accounts being created and that's not okay. And also avoids SUL fragmentation. No local wiki can now use the title blacklist to prevent account creations but Meta-Wiki using the global Title blacklist. Thanks.