This too me longer to find than it should have done, so I'm writing it here for future me.
When you install CouchDB, it is in a mode where anyone can do anything with the database including creating and deleting databases. This is called "Admin Party" mode which is a pretty cool name, but not what I want.
Creating admin users
To create a user in 1.6 (I've not used 2.0 yet, but assuming it's the same) you simply click on the "Fix This" link in Futon which is available at http://localhost:5984/_utils/ by default.
As CouchDB's entire API is essentially a RESTFul API, to do this via the command line, you simply PUT a new user to into the _configs/adminscollection like this:
curl -s -X PUT http://localhost:5984/_config/admins/rob -d '"123456"'
This creates an admin user called robwith a password of 123456. Note that the password within the body of the PUT request must be a quoted string. This caught me out for a while!
From this point on, we can then use basic authentication to do admin-y things, such as create a bookshelf_apidatabase:
You can also set up per-database users which is handy for limiting what your application can do when connected to CouchDB. This is done creating users in the /_users/collection and then assigning them to a class in the _securitycollection of the database. There are two default classes: "members" and "admins" where members can modify data, but not design documents and admins can modify all documents including user roles on that database.