I just wondered if there was any good way to protect the "login ticket" (the mail containing the one-time-use code) from interception in the 24 hours between when it is sent and the expiration time that we store.
For account creation, you can do this by requiring that the user authenticate with their username and password to use the "login ticket". If they know all of the authentication details and have control of the email account, there's really no way to distinguish them from a legitimate user (from your limited perspective). That said, acquiring all of the account details (including the password) and gaining access to the user's email account in a short time window represents an attack that's only likely for an account on a very important system and you (I) wouldn't deploy such a system with email as the only means of verification.
Things are more difficult for password reset requests because the user doesn't know their login details, but that's a different scenario from the account generation one. You have to make security compromises in the name of convenience if you want a user to be able to reset their password from a link in an email alone.