The trick is, that every time you create a new credential, it's serial number is scrambled/blinded.

And whenever you spend or present a credential, then you must unblind the serial number.

So, the coordinator sees a random blinded cyphertext when the credential is created, and he sees a different random unblinded serial number when the credential is presented.

This is theoretically perfect privacy, meaning Esch credential looks indistinguishably random with the anonymity set of all users of this time period.