At this time there is no permanent way to block spam bots from creating user accounts in WordPress - even with Captcha. So maybe in the next release, developers can give admins the ability to change usernames? Right now the usernames cannot be changed, even by admins.
I find it effective to change a banned user's password so they can't log back in. But they can simply request a new password.
If admins were allowed to change usernames as well as passwords, it would prevent banned users and spam bots from simply requesting a new password because they would get a message saying that the username does not exist.