We haven't heard of this kind of flaw; the closest I can think of is a flaw in OJS 2.0.0 through 2.0.2-1 that affected administrator validation, but I don't think there are any exploits in the wild. It's much more likely that these roles came via your upgrade path -- did you migrate from OJS 1.x? -- or things like accidental enrollments, role merges, or maybe a simple account breach through a guessed password.
It's difficult for me to ascertain what happened from here beyond auditing the code; if you're able to find out any more information, please let me know.
Open Journal Systems Team
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada