Unauthorized user registration

Hi.
I’ve been running a small personal wordpress blog for some years now. Since the end of January 2012 i’ve started to recieve emails that are telling me that a new user has registered.

But i have disabled user-registration in the general options page.
I updated to WP331 in the beginning of February.
I am the only administrator on my blog that can register new users. (There are only a few intentionally and manually created subscribers.)
I have changed the passwords of the admin-account and the database.

Nevertheless those users keep appearing in the user-panel as subscribers (wich is the default-role for new Users).

When checking the server-logs at the time the illegal user registrated, the request was mostly done by some ukranian or polish IPs that are in most cases listed as spammers.

Because I quickly dispose of those unauthorized users I have not checked the database if they have set a password.

The serverlogs show this line at the time when the registration mail was recieved:
[01/Feb/2012:04:29:29 +0100] "POST /blog/wp-login.php?action=register&callback=?&template= HTTP/1.0" 200 465 "http://www. ...

I think there is a vulnerability somewhere in the registration-scripts.

Did I miss to provide nessesary informations?
Do you have any tips how to prevent those intrusions?