OAuth is an authorization protocol and not an authentication framework.
A OAuth token defines what resources you're allowed to consume but in order to receive a valid token, you'll need to authenticate yourself to an Oauth endpoint and this can be achieved using multiple kind of credentials (jwt bearer token, username/password, certificate...). Providing valid credentials is authentication, Oauth is about tokens. Tokens are great for authorization but do not proof user identity. As far as an Oauth client is concerned, he looks for presence of a token, and give you access based on that. He does not go as far as authenticating you. It is often confusing because Oauth is always part of a broader authentication/authorization flow, like in OpenID.
For API keys, you should always use them only to identify an application, nothing more, nothing less. Unleds your API is public, you should somehow authenticate users or applications consuming your API.
API keys are also often found in code repos, share point documents, property files or hardcoded into a mobile app. You can often consider them leaked by definition in a lot of scenarios.
For oauth finally i'd add: you want credentials to be used the less as possible in a request. They are used to authenticate you to an endpoint to receive a token. Token on their side should be used in each request for access control.
Hope it helps