a) Third-Party password
I can see that you do not want users entering their password on third party sites, but maybe that is not necessary.
I would be fine with sending your API some required data (e.g. email, username, name) without the password. You can then just send an email to the user confirming his email address and letting him setup a password. So all the really critical steps (email confirmation, password) would still be handled completly on your end, but the users still save some amount of repetitive work. (find register site, fill out form, …). Which adds up if you have to do it N times.
b) Spam
All applications using an OAuth API are identified through some id - here: Client-ID: <client_id>
I would propose opening a register API only to a select few, maybe through an application process. Should there be too much spam just block their access and you should be fine.
Kind Regards,
Matthias Weidemann (ArdentZeal)