Currently with the header, you can't add nested headers. You can add username token or any WS security headers by enabling WS security on the out going path (Sample 100) and it is the best practice. By the way, you can use any mediator that can deal with SOAP Envelope for this. (XSLT,XQuery,Script mediator or even custom mediator ).
Sample 150 - http://synapse.apache.org/Synapse_Samples.html#Sample100