If they enter the db username that has "create database" permissions into the screen they are most likely doing it http. So, it's passed along in plain text. Yikes.
I'd agree that this is the right approach - asking for a dba username and password on the install form. Whereas this is technically true that the passwords go in clear text, that isn't always a problem. You wouldn't want to do this if you were talking to a remote hosting company that didn't provide you SSL certs, but if the server were in your company, inside a firewall, this isn't any different that how most remote database management tools behave (e.g. PGADMIN III, mysqladmin, etc) It's already been pointed out that most internet remote hosting companies wouldn't allow you to do this using the drupal provided tool anyway.... so.... I say +1 to database creation with a form provided dba username and password, especially if we put a little warning on the form. (Don't do this if your remote managing across the internet).