If we invoke the service using appKey, GetCurrentUser() would give the user associated with that appKey.
Anyway, one another approach I found to identify the user is to use Authorization header. Like below:
curl -X POST -u username:password -H "Accept:application/json" -H "Content-Type:application/json" "http://hostname/Thingworx/Things/TestThing/Services/TestAPI"
I find this approach would fit me for now, instead of creating an appKey for every user.