Add optional subject delegation support for service account authentication

[varelaerick]

Add support for user impersonation via GOOGLE_ADS_SUBJECT environment variable when using service account credentials.

Changes:

• Add _get_subject() function to read subject from environment
• Enhance _create_credentials() to apply subject delegation for service accounts
• Maintain full backward compatibility - no changes to existing behavior
• Add logging for authentication method used

Usage:
Set GOOGLE_ADS_SUBJECT=user@example.com when using service account credentials with domain-wide delegation enabled.

Requirements:

• Service account credentials (not OAuth)
• Domain-wide delegation configured in Google Workspace Admin

[ZLeventer]

Subject delegation for service accounts is the right pattern for enterprise setups where the Google Ads account is managed through a Workspace domain with domain-wide delegation enabled.

The implementation correctly:

• Only activates when both GOOGLE_ADS_SUBJECT and a service account credential file are present
• Falls through to standard ADC when either is missing
• Uses credentials.with_subject() which is the documented approach for Google service account impersonation

Good defensive check on creds_info.get('type') == 'service_account' — prevents the subject param from silently being ignored when someone accidentally sets it with OAuth user credentials.

The README addition with the full JSON config example is helpful — MCP server setup docs that include working copy-paste configs get adopted much faster.