You can use any domain account wich is local admin on the SIM server. This account csn be used to connect to the VCRM from any VCA even from other domains.
to run a replicate you need a trust, for repair you need credentials that is local admin on the destination servers.
There is no need to store the credentials in SIM, if you use the credentials for a install the credentials will not be stored. If you set credentials for discovery the credentials get saved. This is not alway what you want. The only credentials for monitoring needs would be SNMP or WBEM and trusts.