When I first created the REST interface I didn't have the notion of sessions, now that you do I think you would want to augment the notion of having a /znodes/... url with a url of /sessions/v1/<session TOKEN>/znodes/....
so create the session as you suggest, however that create operation returns a url representing the session, after which all of your operations use that as a "prefix" if you will. e.g.:
create a new session - POST /sessions/v1?op=create HTTP/1.1
notice the session TOKEN is a randomly generated key - this allows for some "security through obscurity" as it's "hard to guess" and is some small measure of security. session keepalive and delete would operate on this url. GET on the url might return the original session id for example
create an ephemeral node - POST /sessions/v1/ab483cd8283ef274/znodes/v1/a/b?op=create&name=c&ephemeral=true HTTP/1.1
you might keep the /znodes feature as-is for those not wanting to use sessions (admin r/o console say, or cli tool), however you might want to make turning it off an option - allowing the operator to force users to use explicit sessions
notice how this also cleans up items 5/6 wrt the url used to access (same prefix in both cases)
when you add acl support you might add something like:
resource for managing them (add auth for example). I think you'd have to require SSL to make this secure..., and return some security token good for the session so that someone else can't impersonate you... etc...