That is a good question. Kris is correct, ContentAdmin roles for example and other non-roles can create new apps in their My Work stream - they can as you have seen can create Master Items too. Let me see if my colleague jog can provide any input? - Jeff?
By default, a user of a published app does not have access to create, update, or delete master items if they are not a content admin.
That said, on unpublished applications the owner is able to create master items for their apps before they have been published.
If you want root admins to have the ability to do the same as content admins, check out the rule named ContentAdmin. You can modify it by changing the Condition from ContentAdmin to RootAdmin. However, I recommend disabling the built in rule and creating your own version that mirrors it.
If you want to disable app creation, take a look at this video on Security rules. SenseSecurityRules.mp4 - Google Drive