This is probably better on the Security.Stackexchange.com website, but…

According to the OWASP Guide to Authentication, CAPTCHAs are actually a bad thing. Not only do they not work, induce additional headaches, but in come cases (per OWASP) they are illegal.

CAPTCHA

CAPTCHA (Completely automated Turing Tests To Tell Humans and Computers Apart) are illegal in any jurisdiction that prohibits
discrimination against disabled citizens. This is essentially the
entire world. Although CAPTCHAs seem useful, they are in fact, trivial
to break using any of the following methods:

• Optical Character Recognition. Most common CAPTCHAs are solvable using specialist
CAPTCHA breaking OCR software.

• Break a test, get free access to foo,> where foo is a desirable resource

• Pay someone to solve the CAPTCHAs.

The current rate at the time of writing is $12 per 500 tests.
Therefore implementing CAPTCHAs in your software is most likely to be
illegal in at least a few countries, and worse – completely
ineffective.

Other methods are commonly used.

• The most common, probably, is the e-mail verification process. You sign up, they send you an email, and only when you confirm it is the account activated and accessible.
• There are also several interesting alternatives to CAPTCHA that perform the same function, but in a manner that’s (arguably, in some cases) less difficult.
• More difficult may be to track form submissions from a single IP address, and block obvious attacks. But that can be spoofed and bypassed.
• Another technique to use JavaScript to time the amount of time the user spent on the web page before submitting. Most bots will submit things almost instantly (if they even run the JavaScript at all), so checking that a second or 2 has elapsed since the page rendered can detect bots. but bots can be crafted to fool this as well
• The Honeypot technique can also help to detect such form submissions. There’s a nice example of implementation here.
  • This page also talks about a Form Token method. The Form Token is one I’d never heard of until just now in this context. It looks similar to an anti-csrf token in concept.

All told, your best defense, as with anything security related, is a layered approach, using more than one defense. The idea is to make it more difficult than average, so that your attacker gives up ad tries a different site. This won’t block persistent attackers, but it will scale down on the drive-by attacks.

To answer your original question, it all depends on what preventative measures the website developer took to prevent people from automatic account creation.

Any competent developer would address this in the requirements gathering phase, and plan for it. But there are plenty of websites out there coded by incompetent developers/teams, even among big-name companies that should know better.