What you have outlined is pretty sensible. You would need to create a new ActiveMQ user for each site and give them read write and admin permissions on site.<whatever>
using the authorization plugin. If you are using the simple security plugins, where both the authentication and authorization details are in your activemq.xml, then you will need to restart ActiveMQ after each site addition.
If you want to do this automatically (can't really do this dynamically), then you would need to used the LDAP versions of the authentication and authorization plugins, and have a script that writes the appropriate credentials and permissions into LDAP when a site is installed. I am guessing you would probably already need some sort of a scripted step to add the credentials to the site in the first place, so this shouldn't be a big deal. I am pretty sure that ActiveMQ should pick up the changes without a restart, but I haven't tried this myself, so you would need to test this.