Set up the pam_wheel module to restrict the execution of su to members of the wheel group. This involves editing /etc/pam.d/su and (generally) adding a wheel group. The root group will be used if the wheel group does not exist, but it is not recommended to include non-root users in the root group.
Restrict the execution of su
With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':
auth required pam_wheel.so
Now no user (other than root, and anyone else in the root group) can execute su.
Allow a user to execute su
After having restricted the execution of su, create the group wheel with root privileges:
# addgroup --system wheel
And then add user_name to that group:
# adduser user_name wheel
Now user_name can execute su. Repeat the adduser call for other users if required.