The ip netns creates the reference to the (named) network namespace in /var/run/ns, which could be easily tracked. Also, the same could be determined through /proc/[pid]/ns/net. However, it is possible for some custom program to create a net ns and save the corresponding inode at some other unconventional location. This can make it difficult to determine if or not there are net ns that we could list out.

Secondly, unshare <cmd> destroys the net ns when the process exits, which is fine. However, ip netns exec <netns> <cmd> will keep the ns even after the command/process exits. So I believe, it could be possible for any custom program to do the same.

Hence, the question is: Is it possible that a custom program creates an unnamed net ns, and it is left unassociated with any process?

Furthermore, is it possible to list out such (hidden) net ns from user-space, given that we do not know the paths to the inodes? (The kernel of course has a linked list of the net ns) A code snippet will be helpful.

Is it possible that a custom program creates an unnamed net ns, and it is left unassociated with any process?

Yes it's possible. According to Linux namespaces man page (http://man7.org/linux/man-pages/man7/namespaces.7.html):

Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace that supports being manipulated by setns(2):

Bind mounting (see mount(2)) one of the files in this directory to somewhere else in the filesystem keeps the corresponding namespace of the process specified by pid alive even if all processes currently in the namespace terminate.

About the other question:

is it possible to list out such (hidden) net ns from user-space, given that we do not know the paths to the inodes?

If you consider the above quote from the first question, by examining bound paths you should be able to find those hidden namespaces.