For creating the Connected App, the article Digging Deeper into OAuth 2.0 on Force.com (https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com) will probably answer many of your questions and help you get that in place.

For the User Account with API Enabled, I highly recommend using a dedicated Profile that only grants the User Account access to the objects and fields necessary for the app to function. If you must use an existing Profile, then create a Permission Set that provides all the access that the User Account requires so that you don't grant other users in the same Profile excessive access to critical objects and fields. API Enabled is a System Permission checkbox that must be checked to grant the User access via the API. Once you have the Profile or Permission Set created, you must apply that to either an existing User or new User. You can get a new Secruity Token by logging in to the UI as that user and initiating the Reset My Security Token function in Setup. This will send the new Security Token to the email address associated with the User. You must have access to that email account to retrieve the Security Token. A note of caution, if this is an existing User and other integrations also authenticate with that user, you must update the integration credentials to use the new Security Token; alternately, if you can retrieve the current Security Token from the integration configurations, you would not need to reset the user's security token.