About the two first quesitons, it is more an AD organization than any other thing. IMHO, haging specific OUs is better than mixing all in one single place, so your examples are good.
About the third one, ESXi permissions have no relation with the vCenter permissions - they only apply for direct ESXi access, not reflecting at all in the way vCenter accesses the ESXi resources.