Someone types in your new server/domain, like "ijustmadethissite.com", or "newlocation.existingsite.com"

For their computer to resolve this domain name, it's going to call out to a DNS server, of which Google hosts a major one. It can be assumed that they log these names, and can then use that as a "notification" for a site coming up.

But what does that have to do with scanning webservers for vulnerabilities, do they do something with the "newly seen sites", and if so is it documented what they do for scanning?

Because if the vulnerability involves an HTTP request, then the Host header needs to have the domain name of the target website.

So you need: IP address and port for the TCP headers, and the domain name to go in the TCP packet content.

One example of a vulnerability would be having phpMyAdmin with a database password hardcoded and no login needed. Without the domain name it would still be impossible to access. (Of course, domain names shouldn't be considered secret so this would be a very insecure setup.)

True, they have a DNS resolver, but they also have Chrome. And the Certificate Transparency list. Google Analytics. And so on…

I'd never considered the value all those things have when it comes to finding out what to index. Clever, actually.