Does DNS allow third parties to register subdomains?
Short answer: No, third parties can't register a subdomain without authorization from the owner of the domain.
DNS is a hierarchical system, ordered from right to left in the hostname. Whoever has a given domain name registered controls the authoritative name servers for that domain. This means that all queries (that aren't answered from cache) for that domain or one of its subdomains will be directed to that organization's DNS servers, giving them full control over all subdomains. They can, of course, choose to delegate this control to someone else if they wish.
For example, if I were to register reirab.com, if someone queries subdomain.reirab.com (and no cache is involved,) what would happen is this:
Their DNS server would first ask the root servers for the first domain from the right, i.e. com. They would be returned a DNS NS record telling them the authoritative name server for com.
Their DNS server would then submit a request to the com authoritative name server that it discovered from the previous request for reirab.com. It would again get an NS record response telling it the authoritative nameserver for reirab.com.
Their DNS server would now submit a request to reirab.com's authoritative name server for subdomain.reirab.com. Since I would own reirab.com, I would have full control over this authoritative name server. It would either be a server that I myself own or one that is hosted by a third party on my behalf. The only subdomains that could possibly be returned (authoritatively) for this domain are the ones I myself have created records for on that authoritative name server. The only way for someone else to register a subdomain of reirab.com would then be for them to ask me to set it up for them, since I own the authoritative name server for reirab.com and all requests for its subdomains would be funneled through my server.
If I did want to delegate control of some subdomain to someone else, I would do it exactly the same way my registrar delegated control of reirab.com to me: with an NS record. By adding an NS record for subdomain.reirab.com to reirab.com's authoritative name server, I can authoritatively direct requests for subdomain.reirab.com and any of its subdomains to the name server listed in that NS record, which would be controlled by the organization to whom I delegated control of that subdomain. I could revoke this delegation at any time by removing or altering that NS record.
By the way, 'www' is not treated specially by DNS. It's just another host name in its domain's authoritative DNS server. It's only by convention that we put the host (A or AAAA) record for that organization's web server there. The A record for www.exampledomain.com and somethingelse.exampledomain.com both most likely lie on the same server: exampledomain.com's DNS server.
Note: This answer has intentionally simplified things a bit for the case of someone requesting a DNS record from the Internet. If a request for a domain comes from within the domain's organization, the request will likely be resolved directly by the organization's name servers without going up the chain to root-servers.net, the TLD's name servers, etc. In this case, a host name could potentially even resolve to something different than what it would resolve to from the Internet, if the organization so chooses.
Welcome to Security!
The case of educational/government intitutions is a particular case of subdomaining. Basically ICANN, who rules the Internet top names, delegated maangement of the .au TLD to Australian government (to make it simply simple). But since .edu and .gov (et similia) are owned by US for historical reasons, Australia, like some other countries, had no choice than to manage its own dedicated Educational subdomain under .au. Other examples are .gov.uk, .gov.it etc. that made similar choices.
If you use whois Linux tool you can find interesting information. I have summarized its output
:~> whois au
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
domain: AU
organisation: .au Domain Administration (auDA)
address: Lv 17
address: 1 Collins St
address: Melbourne VIC 3000
address: Australia
:~> whois edu.au
Domain Name: EDU.AU
Registry Domain ID: D407400000002449554-AU
Registrar WHOIS Server: whois.auda.ltd
Registrar URL: http://www.afilias.com.au
Last Modified:
Registrar Name: Afilias Australia Pty Ltd
:~> whois sydney.edu.au
Domain Name: SYDNEY.EDU.AU
Registry Domain ID: D407400000000057080-AU
Registrar WHOIS Server: whois.auda.org.au
Registrar URL: https://www.domainname.edu.au
Last Modified: 2018-07-17T00:59:06Z
Registrar Name: EDUCATION SERVICES AUSTRALIA LIMITED
Each subject in the chain is responsible for allowing parties to register subdomains. For example, if your Science department wants to register a subdomain, they must inquire Education Services Australia.
Experiment: try to register usrlocalechelon.edu.au on GoDaddy: they are not allowed to sell you that
Experiment 2: https://www.domainname.edu.au/ offers me to register usrlocalechelon.edu.au for 41 AUD. Looks like too public in my opinion as you may claim yourself to be an educational institution in Australia if you can just pay for a .edu.au domain.
Comment: the site shows a "Eligibility details" step of registration, where probably I won't be able to register an Australian educational domain because I lack authority to register under eu. I haven't bothered trying to push the wizard forward.
Experiment 3 (which answers the security question)
https://www.domainname.edu.au/ does NOT allow me to register usrlocalechelon.sydney.edu.au because
Requires applicant to have national interests and resposibilities or be recognized and delivering services in more than one state or territory
Summarizing
You can never apply for your favourite sub-sub domain at a public registrar, because technical reasons require you to pass through the owner of the level-minus-one domain. DNS is hierarchical.
But if the organization owning your third or fourth level domain (like sydney.edu.au in the example) flaws in filtering domain applications, that is their own organizational problem and is not a flaw in the DNS system.
The DNS registrars only care about the registration of the primary domain, i.e. example.com. They don't care about any sub-domains like www.example.com or www.math.example.com and similar. These are in full control of the organisation which owns the primary domain, which also might decide to delegate control over these domains or some of these domains to other parties.
Note that a primary domain is not necessarily the domain.toplevel but it is domain.publicsuffix where publicsuffix can be things like com but also co.uk. For more information about these see publicsuffix.org.