You can run the creation utilities via PHP, however, the creation utilities must be run as root. This understates that you must have SUDO installed.
Enter the second consideration, PHP normally runs as nobody (apache on certain systems). It would be murder to grant SUDO access to 'nobody'. You must therefore also have some type of SUEXEC module, carefully configured, to identify which user is running the PHP script - that way you can control which users get SUDO access.
All in all, the Plesk7 API design is poor. On the bright side, the Plesk6 API was worse - perhaps they'll nail it with Plesk8?
An API is supposed to give a program access to another program (application program interface) - however - root-privilege only shell scripts is shooting yourself in the foot. Most resellers will not grant sudo access on a shared webhosting machine which is the audience that plesk caters to. Sudo opens a hole without doubt, and it is wise to keep these kinds of 'powerful' tools far away from scripting languages such as Perl and PHP, which are the tools generally used to create web applications. Why then create an API that is only accessible through means which are not viable under most situations? It's akin to selling soup knives. Jokes aside, much harm could be done by the savvy wrongdoer.