Although I cannot exactly reproduce the problem that you’re having, I believe that it is caused by adding the data for the new user as query parameters instead of as a body posted in the HTTP request.
With the latest (development) code of Openfire (4.7.0-SNAPSHOT) and the restAPI plugin (1.7.0-SNAPSHOT) the following curl request works as intended:
curl -v -X POST --header "Authorization: foobar" \
--header "Content-Type: application/xml" \
A potential other source of problems might be using a read-only user-base, such as LDAP or AD.
Your log files probably hold more clues as to what’s going wrong exactly.