I think it is more likely they need to verify that he only did what is currently known about and nothing else (such as if he had granted himself access to some private repos, for instance). Much safer to suspend/terminate his account first just in case. They are likely combing access logs, etc. Maybe they will reinstate it later after a review. Who knows other than Github.

It could also be to reduce legal culpability. If they left his account enabled and he had granted himself access, and later did more damage, they might be liable for negligence? Not sure. IANAL, etc.