Yes, the password is encrypted on the wire. Normally, the rest of the transaction is not encrypted so all the data flows in clear text though it is possible to configure the session so that the data exchange is also encrypted.
I don't off the top of my head know of any documentation that states this. I'm sure there are some Metalink documents out there that do, I'm just too lazy to search right at the moment. You can enable SQL*Net tracing and/or use Wireshark, though, to confirm that.
If you're one of the handful of folks that really dig in to the Oracle authentication process, it's a bit convoluted. But the server does (after some handshaking) give the client a session ID that is used by the session to encrypt the password.
Short answer is "Yes, the password is encrypted as part of the login process"
Long answer: Is the Password Encrypted when I Logon and Other Related Questions (Doc ID 271825.1)