Set up the pam_wheel module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.
The root group will be checked if the wheel group does not exist, but it is not recommended to include non-root users in the root group.
Restrict the execution of su
With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':
auth required pam_wheel.so
That's all for the file and no user (other than root) can execute su anymore. This is the most secure configuration.
Allow a user to execute su
After having restricted the execution of su, create the group wheel with root privileges:
# addgroup --system wheel
And then add user_name to that group:
# adduser user_name wheel
From now user_name can execute su.