How do you create a new user? There are several ways to do it. You can run the adduser command. There are probably GUI-based applications that accomplish the same thing. You can modify /etc/passwd and related files with the vipw command, which edits them in place. And if you know you're doing, you can accomplish the same thing with command-line utillities, like cat / mv / sed and so on. So saying "to do everything except create new users" makes no sense.
I think the correct answer to this problem is not technical, but organizational: Make sure the person you trust with sudo is actually trustworthy, and then instruct them correctly. If that doesn't work:
In addition to the doas suggestion, how about the following: Instead of excluding one particular task, make a list of what tasks are included. Then for each of them, create a way to do it that does NOT require using a shell. One example is to create a variety of shells scripts, one per task, and allow each of them individually.
In addition, I also prefer doas over sudo. Easier to configure and simpler.