Openfire can be configured to allow for anonymous XMPP connections. Those should not be usable to create administrative accounts though. If you do not want anonymous XMPP connections, then make sure that this feature is disabled in the admin console.
When unauthorized users create an admin user, then there is a weakness being exploited in your configuration somewhere. It is impossible to tell for sure what is causing this without more data. My first thought would be an exploit of the security vulnerability that was recently reported. Are you running the latest version of Openfire?