Description:
user privileges: Select, Insert, Update, Delete, Create, Drop, Alter, Lock_tables, Index, Create_tmp_table, References, Create_view, Show_view

User format: 12345
Allowed database format: 12345_db1. User shouldn't be able to create database with php.

With phpmyadmin, for example, user is able to create  database "12345?db1". For 12345_db2 already created, it's possible to create 12345?db2 and so on.
Database will be created, but no entries are added under mysql.db.

This problem appears only if database name contains underline, else phpmyadmin will return 
Create new database: 
No Privileges

In terminal,
CREATE DATABASE 12345?db1;
under this user will fail, however.

How to repeat:
user privileges: Select, Insert, Update, Delete, Create, Drop, Alter, Lock_tables, Index, Create_tmp_table, References, Create_view, Show_view

User format: 12345
Database format: 12345_db1.
User shouldn't be able to create database with php.

With phpmyadmin, for example, user is able to create  database "12345?db1". For 12345_db2 already created, it's possible to create 12345?db2 and so on.
Database will be created, but no entries are added under mysql.db.

If user has privilege to database 12345_db1 your case looks like one described in our user manual at http://dev.mysql.com/doc/refman/5.0/en/grant.html:

"Note: the ‘_’ and ‘%’ wildcards are allowed when specifying database names in
GRANT  statements that grant privileges at the global or database levels. This means, for
example, that if you want to use a ‘_’ character as part of a database name, you
should specify it as ‘\_’ in the GRANT statement, to prevent the user from being able
to access additional databases matching the wildcard pattern; for example, GRANT ... ON
`foo\_bar`.* TO ...."

So this is not a bug