The commands which users can execute with sudo can be configured with the
"sudoers" configuration file.
$ man sudoers
Note that "su" is a red herring, because it is "sudo" which escalates privilege.
"su" just provides a way to get a shell. Any program which allows the execution
of arbitrary programs can be used to obtain a root shell, if that program can be
run using sudo.
For instance:
$ sudo vi
:!sh
# root!
If you can run a text editor as root:
$ sudo vi /etc/shadow
[ ... edit any user's password, incl root ... ]
$ su anyuser
password: [type new password you just created]
Basically, if you do not trust a user to have root privileges, but that user must
be able to do some admin tasks, you must severely restrict sudo to just run
a specific command or set of commands, and think very carefully about the
implications of those commands being run with privileges.