User can create a child group for a parent that they're not a member of

The only access control measure that subgroups sets in place is the permission of 'edit groups hierarchy'. Any user role that has that permission is allowed to choose any other group as its parent. Whether its the right thing to do or not, the group membership doesn't dictate if a user is able to create subgroups.

This should be configurable. For example, some radio buttons can be added to the content type form to determine who can create a subgroup for this group type (e.g. group admins, group members, everyone).

The patch being worked on in this ticket: #976042: Add option to choose which group types can be used to create hierarchies includes access control options for granting group members or admins the privilege of creating subgroups.

UPDATE:
I removed the access control options from the patch listed above. That feature will not be included in the subgroups module. The og_user_roles module is already set up to handle special privileges for group members and group admins.

The privilege to create a group hierarchy is controlled by the 'edit groups hierarchy' permission. If this permission is given to non group members (such as site admins) then yes they will be able to create hierarchies below groups they are not members of. The og_user_roles module should be used to help create finer grained access control options.