Hi,
the best method is use of TACACS server where you can define privileges.
Using privilege level on switch is hard usable in this situation because you need to configure it for each switch. Also if you cannot use privilege level 15 then you must specify lower level and specify all commands which can be used. It is easy to allow only few commands but all except few take a long time (you must allow each one explicitly) and configuration file will look awfully.
Or you can use RADIUS server for authentication and assign full admin rights. So user can do anything in configuration but he will not have access to radius for modifying of users.