Once you can upload an access a PHP page you can do anything that php can do. That certainly includes creating and updating files and directories throughout the site. It sounds like your hacker didn't take too much advantage, it could be much worse. You can run command line and even create FTP accounts and install malware.
You can do pretty much anything at that point. I've seen people get it so bad that they need to move to a new server after. You are hopefully in the clear, but if it pops back up on the site it might be hard to track down since once they can upload a file to the server and run it you don't know where it might have spread from there.