When using the Create Item action in Nintex, do both lists have to have the same permissions? We would like the list that has the created item to be read only to some people.
They do not have to have the same permissions.
In normal circumstances the create item will run as the initiator of the workflow when it executes, so that user would need to have the ability to add a new item to the list.
If they do not have permissions to do this, you can wrap the create item in an action set action and configure that under common to run as the workflow owner (ie whoever published the workflow) for that specific insert - thereby only needing to ensure that the user who publishes the workflow has the permissions to write to that list.