"But if someone does have your password, and uses OAuth before you have a chance to change it, they will still have access to your account even after the password has changed."

... until you revoke the OAuth token for that third-party application and then re-authorize it with a new OAuth token, which is the way it's supposed to work.

Twitter could make it easier on users who get pwnt by providing a "de-authorize all applications" function.