CAA Account Record Binding (see RFC 8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding and Enabling ACME CAA Account and Method Binding) would ideally prevent this in general.
Basic CAA records only indicate which CA(s) should be allowed to issue certificates for a domain. Recent extensions, such as Account Binding (linked above), indicate only a particular account(s) on a particular CA(s) should be allowed to handle certificates.
The utility of CT logs here, is that it allows for detection of these certificates. Some vendors offer CT monitoring for their customers, which would automatically detect this. Cloudflare is one such company.
Please remember, this was most likely a government action. A government could conceivably compel a CA to issue a certificate and bypass CAA restrictions. A government could also conceivably compel a CA or CT log to not report the certificate. I think we are likely to see that happen in the future, and this situation was caught because the government(s) involved did not fully cover their tracks.