What would prevent someone from spoofing this? (other than there being no apparent reason to spoof it)

Except for the apparent reason of fooling a user to confirm something he/she is not aware of?

Anyway, asking security questions from the end user is always a bad choice. There is an excellent paper about it by Ka-Ping Yee:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.9.4...

But then of course, to relieve users from the burden of making security decisions one needs the whole chain of authentication of executables, access control and a trust system to dispense privileges.

EDIT: a better link to Yee's paper

Except you don't confirm anything. A fake UAC doesn't have any magic powers, nor can it pass your click on to the real UAC.

The problem UAC solves is that you click on a harmless dialog, but suddenly an important dialog is swapped in under your mouse. A fake UAC can't do that.