Truth be told it was probably created in the bowels of the NSA...
In 2011, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL, his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers.
Henson apparently failed to notice a bug in Seggelmann's implementation, and introduced the resulting vulnerability, Heartbleed, into OpenSSL's source code repository on December 31, 2011.
Heartbeat support was enabled by default, causing affected versions to be affected by default. The vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012.