I've just read the following disturbing article over on Mac Geekery. Basically, by design, when you install packages under OSX part of the process can use a mode which allows it to run with elevated super-user privilege.
Therefore, and Mac Geekery have provided proof of concepts, someone could quite easily create and distribute an application which, when installed, could create itself an account on the machine, change the super-user password, hell, anything really.
Mac Geekery have provided short term solutions to this, which is basically avoid downloading and installing things that are not from reputable sources. Long term Apple will need to ammend the process so it at least prompts for a password before an installer starts acting like God on people's computers.