Access tokens can be created on behalf of a user or on behalf of an account.
User tokens
User tokens enable actions to be performed on behalf of the user that authorized their creation. If enabled, any user can authorize your app to create a user token on their behalf. With the proper scopes, a request authorized with a user token can do anything that user could do on their own behalf (e.g. create documents, edit documents, etc.).
Account tokens
Account tokens enable actions to be performed on behalf of an entire account. Only admins on an account can authorize your app to create a token on behalf of the account. Unless specifically intended, admins can't create tokens with scopes that can do things that they themselves can't do. Once created, the token is no longer associated with the user that created it. Anyone who has access to the token can use your app perform the administrative actions allowed by the scopes on the token, whether or not they would be able to do such actions without the token.
API usage
If you want your app to be able to perform any administrative actions (manage users, etc.), you'll need to use account tokens. User tokens can't be used to perform actions like managing users on an account, even if the user the token represents is an admin with permission to manage users. To perform such actions, an account token must be created. For this reason, not all scopes are valid for all token types; some scopes are only valid for user tokens, and some are only valid for account tokens.