While only an OWNER can create service accounts, an EDITOR too can manipulate existing service accounts.

If a project contains service accounts , the Editor roles grant permission to create or upload service account keys. This allows a bad actor to create new keys for existing service accounts and use these keys to either escalate their own access, or to hand the keys to other users to obtain access to project resources.

Instead of using the Editor role, use predefined roles.