The use of escaping data before outputting it to the browser ensures that no malicious (external) content (over which you have no control) can be outputted to the browser, and that no errors occur in HTML tags. Additionally, translated strings can be escape to make sure their translations have no unescaped special characters.
In your case, the second option you present is better than the first. Instead of escaping the entire HTML and leaving in the A-tag, you can assume that you yourself have correctly formatted the A-tag and escape the contents. However, in general, you don’t have to apply __() to a URL, as it doesn’t really have a translation (expect if you’ve hardcoded a link to a multilingual website, but that’s very unlikely ;-)). The best approach would be:
printf( __( 'One and <a href="https://wordpress.stackexchange.com/questions/222010/%1$s">%2$s</a>.', 'theme_name'), esc_url( 'http://example.com/' ), __( 'Two' ) );
Which ensures that all tag content is escaped properly, that all text can be translated, all the while ensuring flexibility in the two parts of the string. However, it is still a bit case-dependant.