Yes, although the subdomains still point to deviantart's servers. The difference here is that ad.example.com ends up pointing to the attacker's server.
Because LetsEncrypt needs a very specific response to be served from a specific endpoint, you need this kind of total control to validate a domain and get a certificate issued.
There's a bit more to it than "allowing subdomain creation". You will need control over the DNS records, or ability arbitrarily change the page (essentially).
Because LetsEncrypt needs a very specific response to be served from a specific endpoint, you need this kind of total control to validate a domain and get a certificate issued.