Key management is another area of Salt with a vast range of convenience/security trade-offs. For convenience, Salt does not require you to manually transfer the keys between masters and minions in order for authentication to occur. Instead, the minion will contact the master, and the master will cache the minion's public RSA key, awaiting manual approval.
Often, if we just created the minion in question and a minion of that name appears in the master's key list, we can assume with some degree of certainty that the key we're accepting is the key of the minion we just created.
However, it's possible that a malicious party could have contacted the master under the same name. In this case, we would be accepting a key from a malicious party, who would now be able to retrieve data to which they should not have access.
Such an attack is unlikely. It would be very hard to execute, as it's a small attack window, and the attacker would need to know the name of the minion being created...