Look into the package dbconfig-common. It's the means for creating database users in a manageable way using package mechanisms.
From the apt description...
Description: common framework for packaging database applications This package presents a policy and implementation for managing various databases used by applications included in Debian packages.
- support MySQL, PostgreSQL, and sqlite based applications;
- create or remove databases and database users;
- access local or remote databases;
- upgrade/modify databases when upstream changes database structure;
- generate config files in many formats with the database info;
- import configs from packages previously managing databases on their own;
- prompt users with a set of normalized, pre-translated questions;
- handle failures gracefully, with an option to retry;
- do all the hard work automatically;
- work for package maintainers with little effort on their part;
- work for local admins with little effort on their part;
- comply with an agreed upon set of standards for behavior;
- do absolutely nothing if that is the whim of the local admin;
- perform all operations from within the standard flow of package management (no additional skill is required of the local admin).
That's probably the best way forward. It's what Debian and MythBuntu uses for MythTV/MySQL database management. I too would like to see the security on the DB users tightened up, but I'm busy with a z/OS course for work which is eating up my spare time...
Hope that helps!