alter: add a missing CREATE access check

Add a missing CREATE access check. Update tests.
Update a comment.

Fix a security issue when a user who had read/write access
to system spaces could create any object, even while lacking
CREATE privilege. The issue was caused by a misleading access
check in access_check_ddl which would grant access to the owner
of the object. But in case of CREATE the owner of the object
is the effective user alraedy, so CREATE access was always granted.

In case of CREATE, ignore the definer user id in access_check_ddl() - it
is irrelevant, since we create a *new* object.

Update tests.

In scope of gh-945