If anyone can create an account without admin approval, that's the security hole. Put a "captcha" device in the signup form, forcing new users to enter a code, select all of the "motorcycles", etc. That will prevent the fake accounts from even being created.

Now, if you're going to say these are not fake accounts, but legit accounts that have been hacked, your log files should show what username is being used to login. Change that account's password and alert the member/user to never use the old password again and that should take care of it.

Those should be the only 2 possible ways that these spammers are getting access to the system. Either creating fake accounts or having access to a legit account that's been compromised. Good luck!