You can always create a new role that only allows the actions that you need to kick off a new build (create on builds and builds/source, read on buildconfigs).
Also, if you're running oc inside a pod within OpenShift, oc will use the credentials of the service account used to run the pod. No need to explicitly log in.
Adding the edit cluster role seems to work.
oadm policy add-cluster-role-to-user edit system:serviceaccount:jenkins:jenkins
But is feels I'm giving it too much access. I tried with role system:build-controller but that wasn't enough.
users mailing listusers lists openshift redhat com