That would require Cloudflare to have a KYC policy which exposes the individual/organization behind an account, and they don't do that either.

If DDoS4U gets banned they can just rebrand as DDoS4Less and CF is (willingly?) none the wiser that it's the same people behind it.

Malicious actors could spin up new accounts whether or not CF bans malicious accounts without a court order. Requiring a court order would have no bearing on CF's ability to prevent duplicate accounts.

KYC := know your customer

aka get their real id

That sort of court order would end this entire product feature. You can't have accountless tunnels if you have to be able to bar specific individuals or organizations.