However I don't know why you need it, where sshd already writes real user name in the form like:
Accepted publickey for username from IP ...
If you don't have it, may be you can try to set sshd_config' loglevel to VERBOSE.
But back to fail2ban, sure it is possible.
As for jail you'd need to specify something like this (along with others):
[ssh-accept-mon]
failregex = ^\s*\S+ sshd\[\d+\]: Accepted publickey for <F-USER>\S+</F-USER> from <ADDR>
maxretry = 1
findtime = 1
bantime = 1
enabled = true
action = ssh-accept-mon-log
Here how you can check the RE and captured groups:
$ what='Jul 12 19:50:00 srv sshd[274594]: Accepted publickey for admin from 192.0.2.5 port 59120 ssh2: ECDSA-CERT:...'
$ fail2ban-regex -o '<F-USER> : <ip>' "$what" '^\s*\S+ sshd\[\d+\]: Accepted publickey for <F-USER>\S+</F-USER> from <HOST>'
admin : 192.0.2.5
As an action you need to use something like this:
[Definition]
actionban = logger -p auth.info "<time> Accepted SSH connection from <F-USER>"
Just note that it would not log more than 1 entry per IP per second (due to bantime), so may be you'd try some solution from fail2ban :: wiki :: How to ban something other than host (IP-address), like user or mail, etc.
For instance RE from this example will use "session-ID" (matched with <F-ID>\d+</F-ID>) as a failure ID instead of IP address, so would "ban" by this ID (and therefore safe against too fast entries):
$ fail2ban-regex -o '<F-USER> : <fid> : <ip>' "$what" '^\s*\S+ sshd\[<F-ID>\d+</F-ID>\]: Accepted publickey for <F-USER>\S+</F-USER> from <ADDR>'
admin : 274594 : 192.0.2.5
Also consider this RFE - fail2ban#2304 for alternate approach (or alternative with ignorecommand etc).
