The tomcat-users.xml file is just xml so it's always possible to update it programmatically but it's only read when Tomcat starts up.
The memory realm was only put there to serve as an introduction to realms. It it assumed that most production apps will switch to a JDBC or JNDI type realm. Tomcat provides the interface org.apache.catalina.Realm that you can use to implement your own if none of the provided ones provide what you need.
MemoryRealm is a simple demonstration implementation of the Tomcat 6 Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_HOME/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted.
[ January 22, 2008: Message edited by: Ben Souther ]
The Tomcat Admin app runs as a privileged app and probably accesses the memory realm objects directly. The nice thing about open source projects is that, if you want to know how they do something, you can grab the source and see for yourself.
If you're serious about mucking around with the MemoryRealm (and you should really use a more serious Realm implementation, like DataSourceRealm), you might want to read this article I wrote a while back. The section titled "Integration with Tomcat Realms" explains how to extend MemoryRealm with custom functionality.