Here are options that may solve your problem:
1) Switch Splunk to SSO strict mode and connect it to a single sign-on solution so the web UI no longer allows users to manually enter a username/password (documentation here: https://docs.splunk.com/Documentation/Splunk/6.5.3/Security/ConfigureSplunkSSO). Then add all your WebUI users to the SSO solution, but add your admin/REST user to Splunk only--not the SSO solution. If that user ever tries to authenticate to the WebUI, the SSO solution will reject it. But when that user tries to authenticate on the management port, Splunk will bypass the SSO solution (you will have to add the source address that you expect REST queries to come from to the trustedIP list, and just for good measure you should have iptables specifically block the Splunk web port from that IP).
2) I bet you can do something similar to the above by setting up multifactor authentication using Duo (https://docs.splunk.com/Documentation/Splunk/6.5.3/Security/AboutMultiFactorAuth). My guess--I can't find any documentation that addresses it--is that the Splunk management port bypasses Duo just like it bypasses SSO. If that's the case, you'd just have to set up a second factor for the REST account and then destroy that second factor; that way that account can still use its username/password to login through the management port, but it won't have the second factor required to login to Splunk Web.
A couple of things you should consider if you do what you're intending: If you're giving this account admin privileges, it can create another account that has admin and web UI privileges (SSO example above notwithstanding). You can create an alert to look out for that, but this account can also disable that alert. You can create an alert that looks for the account disabling that alert, but... turtles all the way down. So think carefully about those possibilities before you put your trust in this solution.