I also feel this is a serious flaw in wordfence. We were also hacked and found new files in which Wordfence didn't identify.
While comparing with WP-Core, it should highlight any additional files that are not in core.
Even if you only compare the root, wp-admin, and wp-includes - I understand how flagging up files in wp-content is not practical.
While we're here, there should be an option to "auto delete new files in core" and also "auto restore modified files in core"