>even if the the creator did not specify the option
You should have only one person (or a well controlled group of ids) that executes CREATE USER statements.
Of course, the CREATE USER must be executed with PASSWORD EXPIRE so that the initial password itself is expired.
You could create a database event trigger that automatically expires the password for the new user when the CREATE USER is executed.
Hemant K Chitale
You made an attempt-- post the code. Tell us what didn't work. Did you get an error? If so, what error?
My guess is that you could write a DDL trigger that submitted a job using DBMS_JOB that expired the user's password. That would be quite ugly both from a code and from an architecture standpoint. But it would seem to work.
In keeping with Hemant's answer, though, it seems far more beneficial to focus on preventing the error rather than mitigating it. Build a stored procedure, for example, that creates a user and impements whatever requirements you have and revoke the ability of whoever is currently making the mistake to run a direct CREATE USER statement. It's virtually always easier to prevent a problem up front than it is to try to fix it on the back end.