We're currently inconsistent about MFA requirements for creating user accounts. On the main flow, you must MFA to create users after D19448. But you can still create users indirectly (by inviting or approving them) without MFA.
You can also edit Auth providers and enable registration without MFA.
Creating users isn't particularly dangerous, but could possibly be a tool that is used as part of a larger attack (for example, to extend illicit access). The current check is also effective at preventing the creation of special accounts (bots and mailing lists) without MFA, so it isn't entirely silly.
Probably, all of this should require MFA:
- inviting users;
- approving users;
- managing Auth providers.
See also T7667 for additional controls around Auth provider management.