I have a user that I have granted the server role "security
administrator" and a database role "db_securityadmin". When logged in
as this user I can create new logins but not run sp_adduser to add the
new login to as this says I don't have permission to do this. I can
however run sp_revokedbaccess to get rid of a user from the database.