Hi Tom! :)
Where it is the ereg($re0 . '%|_', $show_grants_dbname) parts that returns true (1).
Now, I don't really know what this ereg() does, except for this part: $re0 = '(^|(\\\\)+|[^])'; Which I am sorry to say I don't understand.
AFAIR the regex is there to check if you have any grant for the user available which contains wildcards for a DB name. PMA automagically displays the create form if it detects that you have wildcard grants, because it's then possible for the user to create one or multiple DBs.
As you are using an underscore in your grant, that one acts as a wildcard character; thus your user is effectively able to create databases matching that wildcard scheme.
See our FAQ 6.10 or this recent support request https://sourceforge.net/tracker/?func=detail&atid=377408&aid=965109&... for more information on that issue.
Regards, Garvin.