Does my MIIS AD MA account need to be a domain admin?

The answer here is no.  People often grant these accounts domain admin rights to quickly get things working, but this would not be considered a best practice. 

The best practice is to only grant the account the specific rights it needs to function.  This includes:

• Grant the account read access to all OU's where objects will be imported from.
• Grant the account read, write, delete in OU's where provisioning and deprovisioning will occur.
• Grant the “Replicating Directory Changes“ right according to Q303972 (https://support.microsoft.com/default.aspx?scid=kb;en-us;303972).

This keeps the access to AD by MIIS limited and your operation more secure.