Useful discussion here What is the difference between Account identifier, Principal identifier and Public-Key
Yes, a principalId (i.e. a user) can be the controller. A controller is an identity that has rights to manage the canister. It is usually the textual representation of a principal.