The NSA could and probably already has gone -- using a USA PATRIOT Act demand letter, or other similar legislative tool -- to all the major CAs in the United States (e.g. VeriSign, GeoTrust, etc.) and demanded that they remit their private root keys to "No Such Agency", "for purposes of 'national security'".
Of course, all such requests must (per PATRIOT Act law) be kept secret, and the CAs must lie to the public about their having complied with the request, or the chief executive officers of the CAs (and any of their underlings involved) are subject to long prison terms (with the trial, if any, conducted in camera in secret courts).
None of the above is unfounded speculation; it is based on well-known U.S. laws, which two successive U.S. administrations (Bush and Obama) have refused to change in any meaningful way, and in view of the Snowden revelations it would be extremely foolish to assume that this scenario hasn't already happened.
So yes -- the simple answer is, "the NSA doesn't need to do anything special to set up a root CA; because it can easily impersonate any of the existing (American) ones, at will".