[#1478] OAuth `admin` scopes tweaks

Adjusted AdminAPIController admin subscope requirements.

Allowed non-admins to obtain admin scopes (which won't allow to perform admin actions as long as users.is_admin flag is false).

Enforced OAuth admin scopes usage by default (set [:auth, :enforce_oauth_admin_scope_usage] to true). This allows admins to opt out of admin scopes for some [3rd-party] apps which would guarantee that no potentially destructive actions could be performed from those apps (without this setting such scenario is possible since only is_admin flag is checked in this case). Note: PleromaFE and AdminFE versions not supporting admin scope won't be able to access admin features with this setting — added a changelog entry advising users to use bundled or newer versions of FEs.

Migrated existing OAuth records.

Adjusted / improved tests.

Closes #1478 (closed)