Now, something I did notice: In the 2.5.1 version I downloaded from wordpress, the xmlrpc.php file is dated 3/14/08. It would seem that it wasn't changed from 2.5.0 to 2.5.1 (although I don't have a copy of 2.5.0 on my drive here)
I do, and you are correct, xmlrpc.php did not change between 2.5 and 2.5.1. However, there are still no known hacks via xmlrpc.php.
BUT, if somebody can create a user on your blog through some other method, then they can use the xmlrpc to make a post. This is an easy automated way to do that sort of thing. The problem is not necessarily with xmlrpc, is what I'm saying.
But then here's the thing: unless you can tell how it was done, it won't be fixed. Unless the hacker hits one of the several honeypots I know are out there, nobody will have the information to know how he got in. And a lot of the "hacks" I've investigated are, to my certain and absolute knowledge, exploits in other, older, backdoors that were left behind from previously hacked versions.
In other words, if you ever got hacked before, and did not completely wipe your site clean and sanitize everything, then that's probably how they got back in. You can't simply fix up a hack without checking every line of code in every single file.
Here's what to do after a hack:
1. Download your WP database using the "Export" method. This doesn't preserve options and such, so it will likely be clean of any hacks.
2. Make a backup copy of your theme and plugins. Redownload fresh copies of the plugins that you can find, and use those copies instead of the backed up ones.
3. Delete your entire WP directory. Everything.
4. Install a fresh WP and restore your site to it, themes, plugins, everything. This takes time.
Of course, simply keeping backups every so often removes the need for this drastic action, but still, it's the only way to be sure nothing was left behind. These automated hacking programs are smart, they leave themselves ways in, even after you remove the original one.