Based on my research, the SharePoint Server 2010 uses Timer Service account, and the Win32 API NetUserChangePassword to change the managed account's password.
From Books online(BOL), if an application calls the NetUserChangePassword function on a domain controller that is running Active Directory, access is allowed or denied based on the access control list (ACL) for the securable object. The default ACL permits
only Domain Admins and Account Operators to call this function.
So, in this case, you are right. We need to delegate permissions to timer job to perfom the password changing job.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.