Several questions:
# Will the action=createaccount be disabled by default?
No, it's enabled by default.
Note that action=createaccount itself landed a few weeks ago; I'm just adding the captcha support.
# If enabled, is the action=createaccount reserved to a specific user
group?
action=createaccount calls into LoginForm for the actual user creation; it's the same code as creating an account on the web interface and should use the same permissions.
# At first blush this appears to be designed to enable xrumer bruting.
Have you considered adding optional single-use otf image creation for
fancy captcha, which would be more cost effective on small wikis?
Brute-forcing captchas on the createaccount API should be exactly as easy/difficult as brute-forcing on the createaccount form.
I have not explored new captcha engines or techniques; that would be interesting to explore but is out of scope for me right now.
# There are several private modules for ConfirmEdit, as well as sites
using different captchas based on ConfirmEdit (Asirra?) How might this
interact with a site using a different (non-supported) captcha module?
If the module implements the addCaptchaAPI method -- already existing for some time and used by action=edit and action=login -- then it should work with action=createaccount as well.
-- brion