(Reposting here my comment from the Medium article)
I suspect that, for the overwhelming majority of contracts and security inspectors, this will never be an issue. Even before better tooling comes along, one will be able to quickly tell the “common case” of contracts that have been deployed with CREATE “all the way down”, without inspecting creation code. Just look up the contract’s creator, try a few small integer nonces (1–255 will catch virtually all cases), see if keccak256(rlp([creator, nonce])) returns the contract’s address, repeat the same for creator recursively. One can do this manually or it’s an easy utility to write over existing info in blockchain explorers.
E.g., the test in Solidity (given contract and creator addresses) is:
== keccak256(abi.encodePacked(byte(0xd6), byte(0x94), address( creator
), byte(nonce)) . If it passes, the contract was created with CREATE, not with CREATE2.