I've been playing around with the Twitter API, which uses OAuth as a means of secure authentication. I noticed that the Twitter developers page says that the API secret must not be human readable. How could one keep the said key secret? What techniques could I employ?

Many thanks.

It's generally considered a bad idea to include that secret in anything that clients have access to, so packing it into an Android application that you give to your users would be a bad idea. On the other hand, using it in a program on your webserver, the source to which only you have access, is considered okay. If you have to give something to users, I believe the best practice is to have the client users control send their own authentication information to your server code, which should verify their credential sand then use your OAuth secret to access Twitter. Please correct me if any of that is misinformed, ladies and gents.

You are correct. Examples of why your client application should not embed secret keys, and some discussion of why sometimes you don't care enough to be properly secure is in the news:
http://arstechnica.com/security/2014/06/secret-keys-stashed-in-google-play-apps-pose-risk-to-android-users-developers/

It will be part of a desktop application, so with this in mind, should I set up a web server that holds the said credentials?

Unfortunately, that's the only safe way to do things. Including the credentials in the desktop application in any way, even encrypted, gives an adversary the opportunity to easily extract the credentials.