Yes, user authentication (XAuth) is done as part of Phase 1 and the credentials are sent over the Phase 1 tunnel encrypted.
From the PIX to the AD server (on your internal network) it is sent as a standard Radius packet and the password is encrypted in this also.