You don't have a choice about confirmation -- when you set the e-mail address it'll send a confirmation email automatically. Thus they're alerted, and the jig, as they say, is up. :)
Then what? It alerts of the action, but you can't stop it. The confirmation message says: Someone, probably you from IP address X.Y.Z, has registered an account "YourName" with this e-mail address on Wikipedia.
To confirm that this account really does belong to you and activate e-mail features on Wikipedia, open this link in your browser:
http://test.wikipedia.org/wiki/Special:Confirmemail/baddeefbaddeefbaddeefbad...
If this is *not* you, don't follow the link. This confirmation code will expire at XXX
So, there's no option to "refuse" the email connection. The receiver may think, "oh, somebody registered an account with my name at the wikipedia in strange language" but not matter more about it (note he's relating the warning to the username, not with their email). If he checks the contributions will see a user with good editions. If username clashes are as common as Anthony says, he won't think it again (until he loses his account). He would need to be a paranoic, knowing this vulnerability running to warn a steward or takeover it. And still he'll need to sleep.
I'd create the takover account and not set its password to the matching one before minutes of Merging them.
Exactly right. A non-confirmed email address shouldn't be used for anything, at all, since without confirmation, it's just a random string. If you really want to use unconfirmed email addresses, then give control of accounts with unconfirmed addresses to accounts with confirmed addresses, but definitely not the other way around, that is a major loophole.