SilentLogging and IMSLogger are apparently standard Samsung pre-installed apps (to be honest I'd be disappointed in spyware that advertised itself by name). I've not spotted anything that says key logging so far (after scanning all of the screenshots 3 times), or host client for that matter.
Which are these apks that reinstall themselves?
To be honest just knowing some phone serial number or identifier does not provide magic abilities to hack the phone, nor to track it unless you have access to the carrier's systems (and it would be a huge liability for the carrier if they allowed people to have that access, so that is unlikely). So the single biggest risk factor is if he knows your Google account password. If you have any doubts about this you should change it and ensure that 2 factor authentication is on and no devices he might have access to are authorised. That way if he tried to log in to your account Google will alert you.
How would you know if it was rooted? As said above, a root checker app is the simplest starting place. I'm not a Samsung expert, but their "knox" security system is supposed to flag if the bootloader has ever been unlocked or the system tampered with, so I'd try checking that. You may have to boot into the bootloader to see it (which usually involved restarting the phone while pressing some buttons - as I say, I'm not a Samsung expert). But it does depend on the firmware version: there have been root tools for this model, including some which are claimed not to trip the Knox flag, but at least some of them no longer work (it is normal for firmware updates to close the loopholes that such tools use). So its hard to give complete assurance there: if it came out of the box with an old firmware version and he had sufficient access and knew what he was doing it is possible he could have compromised it (the fact that this is a relatively old device helps there: the newer ones are harder to hack). If you want to be really sure and have access to a computer you could download a fresh set of stock firmware (from Sammobile.com, or possibly from your provider T-Mobile - software support page
here). If someone has interfered with the system reflashing with a full set of firmware will overwrite anything they may have done - back up all of your data first, and don't be afraid to ask for support (I'm not a Samsung user, but plenty here are).
I assume that your circumstances make it difficult for you to just buy a phone that has never been in his hands, since it seems unlikely that you would choose to share an account with him.