The API call to check group membership does require at least a delegated admin with rights to read groups via the API. If you utilize the new Google Admin SDK membership API call, you can also limit the scope to readonly:
https://www.googleapis.com/auth/admin.directory.group.readonlyThe Admin SDK utilizes OAuth 2.0 which does not require the delegated admin's username/password, only the OAuth token.
UPDATE: the Cloud Identity Groups and Group Members API endpoints allow anyone with either an admin role OR permissions to manage the group itself access to call the API. Thus anyone with rights to see group membership (usually a member of the group) can use this API and does not need delegated admin permissions.