Thread:Project:Support desk/API: Disable selected dangerous write actions/reply

The recommended way to disable API account creation (or any API action module) is to use  in LocalSettings.php. See API:Restricting API usage.

API account creations still have to solve the captcha. I don't know how it works with ReCaptcha, but with FancyCaptcha the API gives the client a URL to the captcha image, and the client has to respond with the captcha solution in a subsequent API request.