OS X Lion does not request user authentication at the time that a local user attempts to change their password. Therefore, any user account that is currently logged in can have their password changed by someone, with local access, who does not know the account's password.
Apple OS X Lion
BeyondTrust Prevention and Detection:
Limit regular users' access to the dscl utility:
sudo chmod 100 /usr/bin/dscl