The API call to check group membership does require at least a delegated admin with rights to read groups via the API. If you utilize the new Google Admin SDK membership API call, you can also limit the scope to readonly:
https://www.googleapis.com/auth/admin.directory.group.readonly
The Admin SDK utilizes OAuth 2.0 which does not require the delegated admin's username/password, only the OAuth token.