Spam user creation is the main concern of drupal developers. This post assumes that you are not allowing anonymous user creation on your website. This is one method. You can use other methods depending on the spam user on your site.
I would only recommend to change drupal usually using module path and validation method.
1) quick way to stop spam user registrations is to change the user path using the Rename Admin Paths module. Once you install this module. Your website links to the user paths will dynamically change to point to the new path. Usually Spambots trying to access drupal default url, and it will redirect to 404 page.
2) Change the drupal default password validation format to another format is can also be used to prevent spam users.