The first thing you need is a user who has the new "IT Admin" role. Admin users will be able to add these to any user by navigating to the "Staff" page, selecting a user and toggling the permission to on:
This user will now have some additional menu item unlocked when they next login:
In this screen they will be able to view all the API users setup:
And by clicking into a API user they can view the current key:
And also create a new key and secret:
(important to note, you only ever see the secret once so make sure you copy it straight away)
Finally they can also disable a API user, making it instantly unusable.