Could one create a vulnerable website on purpose to attack a server of a hosting provider?

You wouldn't need the vulnerable website if you have an account on the shared hosting already. What you need is code execution on the host. A remote code execution vulnerability in one of the hosted websites gives you that, sure. But if you have your own account already, why not just upload whatever code you want to run?

I guess installing a vulnerable application could be a way to try to avoid being held responsible for the attack ("it wasn't me, I was hacked"). But it is not strictly needed.

Companies that offer shared hosting has to try to segregate the different accounts as much as possible. This is not always an easy thing to do. Vulnerabilities in the operative system or server misconfigurations can be exploited to gain access to other accounts. A good hosting provider could make such attacks hard by keeping software up to date and configuring things properly. But cheap is seldom good, and shared hosting is often cheap.