If the web application has permission to create accounts in Active Directory, then this means that the web application presumably has an account with (possibly limited) administrative rights to the Active Directory domain. That could potentially be used for all sorts of bad things if you're not careful.
If you're going to proceed, then the first step, if you haven't already done so, is to delegate administrative rights to your web application's account so that it can only create accounts within a particular OU. See this article for details, or search Google for other descriptions.
You'll probably also want to set up Group Policy and group memberships to further restrict the newly created accounts (for example, disabling Remote Desktop), and you'll want to do so in a way that doesn't rely on the web application doing the right thing (as an extra layer of security in case the web application is compromised).
ServerFault would be a better place to find out about Active Directory's security model and how to best set up these various restrictions.
Finally, if you don't need to have users automatically created within your Active Directory domain, then you should consider other approaches. If you're only looking to use Active Directory as a stable, robust source of user authentication, for example, then you can use Active Directory Lightweight Directory Services (formerly known as Active Directory Application Mode) to get Active Directory's functionality without any affect on your domain's security.