I suspect that there is malware files on your system that is allowing those user registrations. There are lots of googles/bings/ducks on how to clean a hacked system. (I use my own procedure here.)
What I would do is these things:
- change all credentials everywhere (hosting, FTP, admin etc)
- create a new admin user with a very secure password, log in as it (to verify it works), then demote the current admin user(s) to lowest level. Especially if your admin user is called ‘admin’.
- disable xmlrpc.prg on your site (that can be a hack intrusion point)
- reinstall WP (use the Update on the dashboard).
- reinstall all theme from good sources via FTP. Do the same for all plugins
- Manually look at all files in all folders on your site for ‘bad’ files. Sorting by date helps, since you updated everything – all updated files should have the same datestamp, so unwanted files will stick out. Don’t forget to look at all hidden files, including htaccess.
- look at generated source code of pages to ensure nothing funky in there
The site can be cleaned (I’ve done it, which is how I developed my procedure). But IMHO there is a strong possibility of malware code on your site allowing those registrations.