With contact details like phone numbers a emails it's good practice to periodically request a user to verify that their contact details are up to date.
For primary account identifiers, mostly user names, but can be phone numbers can periodically be reclaimed by the system. When the application "notices" that an account hasn't been accessed in a years time. It notifies the user that their account is eligible for deletion unless they log in and verify their existence. A second notification with a 24 hour notice can be sent as a precaution. If no one claims the account – delete it.
Although most of the times we don't do a "hard delete" of an account. We mostly only mark it as inactive. Depending on the type of data stored in the account we will only "hard delete" sensitive data and keep things such as contact details.
In your scenario
If the application calls the number (shared by both parties) to get confirmation of identity. Simply question whoever answers the phone to recite other data points that were stored in each user account, eg. Please recall your address. If the person at the end of the line recites User A's address, User A is also User B. Otherwise it is a new user B with a recycled number. If there are no other identifiable data points stored for User A. User B may claim the number and User A's account is simply closed.
