So I have been hounding GoDaddy for more information, since they told me they were investigating the root cause of the attack, and since the attacks (at least for me and StoneChopper) came from GoDaddy servers.
Beside confirming that the attack on my site-in-question did came from a GoDaddy IP, here's the latest (most thorough) info I have gotten from them so far:
We have continued to research the root cause of this issue, however due to security concerns we are unable to provide the entire results of our findings. Attacks originated from compromised accounts on other shared hosting servers and we have taken steps to prevent these attacks from succeeding in the future. We found that in most cases a previous compromise of the account had occurred in which attackers added a new WordPress administrator user named 'systemwpadmin' to the WordPress database. It does not appear to be an unpublished exploit, but rather a re-visiting of previously compromised and un-cleaned accounts. The 'systemwpadmin' user was later used to login directly to your WordPress admin, modify files, and the user was then removed from the database. We have placed additional security measures in place to prevent this specific attack in the future. You can work to prevent this attack or similar attacks by ensuring that WordPress is fully up to date as well as all themes, plugins, etc. and that any vulnerable items are removed from your account rather than simply being disabled via WordPress.
Well, systemwpadmin was able to get into after I had all the usual security recommendations done and then some. The only thing I can suspect is that there were some unused themes and plugins when the attack happened, so may be one of them had exploit code. Those unused themes and plugins have since been deleted, and unfortunately I didn't make copies of them before uninstalling them, so I can't tell for sure if they were the culprits.
I have pleaded with GoDaddy for more information, especially info on the exploit(s) involved (if there was any). I'm also curious about what "security measures" they put in to prevent such attack in the future, but I doubt they would tell me, especially if that would expose any vulnerability of their servers. I'll update when I hear back from them.
Meanwhile, I came across this video that shows an exploit to add a new admin user. It applies to WP 3.3.2, but it doesn't mean it doesn't affect current WP version. Here's a little more info on the exploit: link