it looks as though you can give a role the edit_user capability (in authorize.conf) to allow this:
[capability::edit_user]
* Required to create, edit, or remove users.
* Note that Splunk users may edit certain aspects of their information without this capability.
* Also required to manage certificates for distributed search.
... View more