Can we call the JAVA API from outside Appian?

Technically, yes. In practice, I would advise against it as it requires you to essentially have another Appian install to have all the prerequisites.
Few thoughts/questions:
1. Does this have to be done on login? You will need a batch user synch anyway to capture any changes in case the user does not log in. See community.appian.com/.../identity-management for more info.
2. If the synch needs to happen on login, it gets quite a bit more complicated but I would still use WebAPI over any other pattern. Assuming you have the user logging in directly to Appian (not from an external portal, etc.) you can set the user start pages to a WebAPI. The web api can start a process that completes all the work and then forwards the user where he truly needs to go. This assumes that either the user exists, or you are using SAML and can create the user on login. If the user does not exist and you cannot create them on login, you will need an intermediary to first call a web api to create the user (and also potentially do all the other work), then forward them to where they need to go. The overhead is going to be a few seconds on first login, otherwise you can likely short-circuit most of the work on subsequent logins.

We will be having the user login through a 3rd party authentication portal. We may have custom code do the user creation in the 3rd party portal. We are not going to use SAML, but OAuth for login. OAuth will be capturing the user's authorizations and need to forward them onto Appian so their user groups can be updated to match the authorizations.