At what level should the limits apply? Limits per account create attempt can easily be bypassed, by just creating a bunch of emails. Limits should per IP address would stop Tor users from creating accounts, as a lot of signups come from Tor. This would also apply to organizations that share an IP among many people.
I think that attempts to sign up with a phone number should pretend to send a SMS, but silently do nothing. However, if somebody from the same IP address that created the account using the attempted phone number, then it should just give an error like it does right now.
Creating emails and reattempting the sign up process with these will indeed allow the scammers to create accounts but it will significantly slow down the ones that are using this route. We need to plug the simple holes.
Limiting them per IP address would be a good idea as well. It would give them another hoop to jump through. Let's say 2 accounts per IP.
Like you said, there's another solution that would add another layer: have the SMS receive a number and then SEND it. That will eliminate the receive-only SMSes.