You're thinking Dual_EC_DRBG, which has nothing to do with AES. NSA only reviewed and approved the AES candidate algorithms, they did not have a direct hand in them like with DES (where they secretly made it more secure) or Dual_EC_DRBG (deliberately sabotaged as part of "Bullrun").
As for 128 vs. 256 the one concern is that 256 seems to be slightly weaker (though FAR from broken) against related key attacks, but given its much greater strength overall I'm not worried by that, both options are sensible, I go with 256 if speed is not a major concern.
If I HAD to pick an alternative today I'd go for ChaCha20 (A Stream Cipher, so not fully comparable), Serpent or Twofish (in descending order of preference), but for the moment I trust AES. Much of that is of course personal preference and gut-feeling, but I read the relevant papers too ;-)
As for 128 vs. 256 the one concern is that 256 seems to be slightly weaker (though FAR from broken) against related key attacks, but given its much greater strength overall I'm not worried by that, both options are sensible, I go with 256 if speed is not a major concern.
If I HAD to pick an alternative today I'd go for ChaCha20 (A Stream Cipher, so not fully comparable), Serpent or Twofish (in descending order of preference), but for the moment I trust AES. Much of that is of course personal preference and gut-feeling, but I read the relevant papers too ;-)