I want to make the case, without necessarily endorsing it, that we should be much more suspicious of Bitcoin than we are at present.
1) Bitcoin was almost certainly a team effort. The design has been peer-reviewed and is found to be remarkably secure, complete and well-rounded. I argue that this suggests that a peer-review or quality control process has already been applied. If one individual cryptographer had written Bitcoin, it would contain far more idiosyncracies than it does, not just in the cryptosystem design but also in the C++ code itself. The core protocol itself, which uses a Turing-incomplete programming language, has had only one major vulnerability found in its design and execution.
For comparison, the Amazon AWS API is also a huge team effort that was also (I assume) designed with the help of competent Internet protocol and cryptography experts, and also has suffered from only one major vulnerability, which was found by a certified genius, Colin Percival. Likewise Colin's own one-person-product, the highly secure backup facility Tarsnap has also had only one serious vulnerability to date.
Bitcoin is at least one order of magnitude more complex than Tarsnap, or the crypto used in v1 of the Amazon AWS API. We should have seen far more bugs of varying severities if it was a one man band.2) The author(s) created, maintained and then apparently retired a pseudonym (Satoshi Nakamoto) while staying completely anonymous on the Internet.
As an achievement this is almost as impressive as Bitcoin itself, albeit of a different nature.
Using the Internet anonymously is much harder than one would think. Things like Tor are vital of course, but beyond that there is the practice of operational security to a very high standard. One slip-up is enough to junk the whole identity, e.g. logging on to a pseudononymous account from an insecure location, or even sending a cookie obtained via Tor 'in the clear', is enough.
As a real-world example, the assassination of Rafic Hariri in Lebanon was pinned on Hezbollah because one of their agents made a single phone call to his girlfriend with his dedicated operational phone instead of his personal mobile.
3) Bitcoin is, by design, highly vulnerable to network analysis. Network analysis can be used to comb through large graphs looking for patterns or suspicious behaviour. Because the entire transaction graph of Bitcoin is public, anyone can perform network analysis on the whole Bitcoin network. This is not so significant by itself, but becomes vitally important when combined with the next point.
4) In the absence of good network analysis, the Bitcoin network is not legally attackable at the point where hard currency is converted. Network analysis backed up with law enforcement or hacking, however, could be extremely effective, and this fits the MO for some large three letter agencies: as we have seen with the recent disclosures of NSA attacks against SSL and Tor, the most successful attacks are multi-pronged: they combine, for example, legal strong-arming with technical know-how and hacking.
Obtaining the transaction logs of a currency exchange would give a starting points from which the rest of the transaction graph can be de-anonymised.
5) One single party controls more than 25% of all BTCs in circulation. Someone, somewhere has the ability to destabilise the BTC currency exchange market at will. If you think of BTCs as a commodity instead of a currency, it is obvious that anyone holding large reserves can wreak havoc by dumping their holdings on the market. They could also bankrupt or bleed the exchanges dry of working capital by converting large sums of BTC over a period of time.
6) Whoever wrote Bitcoin must have known that it would attract criminals and wingnuts like flies to a honeypot. After all, look at the history of cyptocash and you can't help but notice Jim Bell's 'assassination politics', or realise the potential for mischief within the combination of hidden servers and cryptocash. Once Bitcoin was established and hidden servers were possible via Tor, Silk Road was inevitable. Even with the demise of Silk Road, Bitcoin is still used for money laundering, paying for skimmed credit card numbers and for 0-day exploits - in this last case, maybe even by the NSA itself.
7) 'Satoshi Nakamoto' is an anagram of 'Ma, I took NSA oath!' :-) But seriously:
To summarise, Bitcoin was apparently designed by good cryptographers and peer-reviewed before it was released. It was almost certainly written by a team of good coders. The entity that did this practiced impeccable operational security. Bitcoin was designed to be difficult to attack by non-state actors, but was also designed to be inherently vulnerable to network analysis, especially so when combined with legal and covert access techniques. A single entity retains the ability to severely disrupt the BTC market through its control of large reserves, and only the most unaware or blinkered recluse could have failed to realise its potential target market mainly consisted of rogues and blackguards.
Whether or not this points to a law enforcement or national security agency as I've suggested, I think it's evident that we cannot assume that the creation of Bitcoin was motivated by altruism, or even by the strain of libertarian cypherpunk ideology that gave Bitcoin such fertile soil in which to grow.
Dan Kaminsky was quoted by Matthew Green as saying "authorship is a better predictor of quality than openness", and likewise, motive is a better predictor of the true purpose of a tool than its quality. The motive of the creators of Bitcoin remains completely unknown.
Corrections and footnotes
 As per the HN discussion, apparently the first BitCoin client was quite buggy in the beginning. Only one exploit was used on the network, but see the Bitcoin CVE list here for a more realistic list of the software bugs encountered in Bitcoin. Worth noting is that this is a separate issue to bugs in the design of the cryptosystem. Thanks to nwh on HN for the pointer.
 I previously stated that "...and has tried to hide that fact" but this is based on a misreading of the paper. Thanks to mcphilip on HN for pointing that out.
There's an interesting discussion over at Hacker News where some good counterpoints are made.