Set up the pam_wheel module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.
The root group will be checked if the wheel group does not exist, but it is recommended to leave that group to root alone.
Restrict the execution of su
With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':
#auth required pam_wheel.so
That's all for the file and no user can execute su anymore. This is the most secure configuration.
Allow a user to execute su
After having restricted the execution of su, create the group wheel with root privileges:
# groupadd wheel
And then add user_name to that group:
# usermod -aG wheel user_name
From now user_name can execute su.