Adding so powerful rights to a web-application user as create table is generally a bad practice. I would implement the table creation in a stored procedure, then give only execution access on the procedure to the user, and wouldn't give more powerful and dangerous DDL (Data Definition Language) rights.
Creating the table using a stored procedure you can restrict table creation with business rules. For example you can give a pattern to the table name, you can restrict the number of columns or you can maximize the number of tables can be created, you can also log the table creation event.