I think this depends on your requirements and central Identity Management and Provisioning architecture.

If within your organisation it's a requirement to have a security group decide wether or not accounts get provisioned to a certain application, then creating a separate "ServiceNowUserGroup" would make sense.

I'd personally only suggest this option if you have some way of automatically add and remove users from this group (for example from an Identity Management solution), otherwise you'd have to keep adding and removing users to this group.

If you don't have such a requirement or practise within your organisation, you might want to consider adding all user accounts (except I assume all service accounts, functional accounts and administrative accounts).

If you have all users in the same OU (without any way to distinguish service- and admin-accounts by using an ldap-query) you'd be left with no choice of either adding a separate security group, or moving certain accounts to a different OU -- probably breaking things in the process.

Another thing to consider is the groups you want to use within ServiceNow. If you plan on using certain AD-groups within ServiceNow for giving different users different roles, you might need to plan which groups you want to synchronize to ServiceNow as well.