Yes, it is possible. Either with ByteCoin's suggestion:
Yes that works fine except instead of point addition, use point multiplication.
S1 and S2 are random numbers about the same size of the group order. Send the second party the coordinates of S1*G where G is the agreed "generator" point. The final public key is S2*(S1*G) and the private key is (S1 * S2) modulo the curve order.
ByteCoin
Or with point addition (slightly different, but the security is the same):
The first party generates S1*G, and sends the X and Y to the second party. The second party
adds to this point the point S2*G.
This means the public key is now S1*G + S2 * G = (S1+S2)*G, and the private key is (S1+S2). (Of course, everything modulo the curve order.)
Maybe I don't understand the problem, but if you want to take away our trust of you, then just have the purchaser send you a public key and an encrypted private key.
That wouldn't help then second hand buyers couldn't trust the coin.
Actually, they could, if the hologram is intact. Since under the hologram S2 is stored, the first buyer can't have redeemed the coins unless the hologram is broken. (Assuming safe holograms here.)
You, as a second hand buyer, of course have to trust the first buyer to give you the correct S1. But since the knowledge of S1 an sich is useless to the first buyer, there is no gain for them in scamming you. Unless they don't like you.
This sounds a lot like threshold cryptography, which is extensively studied. For example see
this paper which covers threshold ECDSA, ie, can a group of players sign a message such that if some players become unresponsive they are kicked out - you need a "threshold of players" hence the name.
If you look at that paper, the part that's relevant is the "ECVSS without a dealer" section. Some older threshold DSA schemes required the key to be created and split by a trusted dealer. Newer schemes can do without that. So you'd adopt the verifiable secret sharing scheme but ignore the threshold signing.
The "simple" case discussed up till now where all the keys involved need to be known is rather trivial, and is not threshold signing. That said, threshold signing may be useful, since invariably one of the parties is going to lose his key, and you don't want the money to be gone then.