Using 9.0.3 it appears that by default the public group (ie everyone) in postgreSQL has create permission on the public schema of all databases. I assume the permission is set incorrectly on the template1 table. This also appears to be happening in debian lenny installs at my work. Reproducible: Always
http://www.postgresql.org/docs/current/static/ddl-schemas.html#DDL-SCHEMAS-PRIV We follow upstream here.