Well, I guess that request doesn't sound fishy at all ...
AFAIK that feature is turned off by default. I don't think the MSSQL user has the right to create new accounts either. But considering we're talking about sro-pservers, anything seems possible.
Happy hacking.