The owner of a DID should create a DID document. Creating a DID document for someone else is usually not correct, if that someone else is a private individual. (If the other party is an organization or an IoT device, maybe it makes more sense.)
Different types of DIDs create their DID documents in different ways. In Sovrin, a DID document is created by registering a DID on the ledger. The DID document is never actually created as bytes in a file, though–rather, it is implied by the metadata that you associate with your DID. When you “resolve” the DID on the ledger, all that metadata is assembled, just in time, into a DID document. Some other types of DIDs do it differently. If you are creating a DID on IPFS, for example, you create the DID doc (e.g., in software or even in a text editor) and then write it to IPFS as a doc, and this act of writing it to IPFS is what brings the DID into being. If you are creating a peer DID, you create the DID doc and share it with a peer; the act of sharing is what makes the DID official.
Some types of DIDs allow their respective DID docs to be uploaded to distributed ledgers. For example, I think Veres One supports that simple flow. Other types of DIDs don’t allow you to upload a DID Doc, but rather to register a DID with some metadata fields that imply the contents of a DID Doc. This is how Sovrin does it.
DID Docs can be encrypted, but usually they are not. The only keys they contain are public keys, which do not need to be encrypted.