First, please have a look at these abuse logs, and notice that none is a log for an action that was prevented by the filter. We would then predict that the non-prevented actions show up on Special:Log/newusers, but we only have a log for User:Guenschi, and the other accounts are not actually created.
I'm guessing that the creation attempts for "the other accounts" were for some reason barred by the mediawiki software, but if so, why does AbuseFilter pick up and log those barred actions? Generally speaking, the extension doesn't leave logs for actions barred for mediawiki-internal reasons (e.g., an attempt to create a page like {} (via the API) won't work because of the invalid characters, which is hence never logged even if we have a filter watching action=edit). The situation described above is like, we have the abuselog ... triggered filter N, performing the action "edit" on {}. Actions taken: none, which leads us to expect that page {} was created, but there's actually no such log on Special:Log/create.
The thing is, this just floods AbuseLog with logs against which we can't take any counter-action.
Description
Event Timeline
The users showing on Special:Contributions the message "User account "..." is not registered.", also Special:ListUsers does not list them. No accocunt exists to have a newusers log for.
Maybe a captcha was shown and abuse filter already logged the first try, but the account was not created (captcha not filled). But I have not tested that.
As abuse filter is working very early for the checks, it may have some logs even the action does not happen.
Ah, CAPTCHA. I wasn't thinking of it. Perhaps that's it.
Anyway, I still consider the case I report here to be potentially problematic, because it also influences how throttling works.
Users aren't supposed to create accounts frequently, although some LTAs do. Because of this, it would be reasonable to prepare e.g. a throttling filter that limits account creation to, say, once in 10 minutes. But this filter would be triggered also for innocent users who just forgot to fill in the captcha field in the first try.
A second ramification I can think of is that vandalists could intentionally flood AbuseLog with nonsense, to make it difficult for admins to surveil abuse logs. With the quoted mechanism of abuse filter, anyone can quite freely leave an abuse log without leaving an action log. (AbuseLog vandalism is something that has actually happened on jawiki before.)
These said, I now think it'd be extremely useful if we had a variable for whether the observed action went through. Something like action_processed?