remember there is a difference between a LOGIN and a USER.
nothing gets any rights unless you add them to a group or role that gives them permissions.
so, never add a LOGIN as sysadmin, and they can never add anyone else as sysadmin either.
in a specific database, anyone in the db_owner role can create a USER for that specific database, but not do anything to their logins (assuming you did not give them sysadmin)
scripting wise, here's an example or two.
--create our normal user
CREATE LOGIN [ClarkKent] WITH PASSWORD=N'NotTh3ARealPassword',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=ON, CHECK_POLICY=ON;
GO
USE [SandBox]
GO
CREATE USER ClarkKent For Login ClarkKent;
GO
ALTER USER ClarkKent with DEFAULT_SCHEMA = 'dbo'
EXECUTE AS User='ClarkKent'
select * from sys.objects --cannot see anything, nothing granted to him so far
REVERT; --change back to the superuser
EXEC sp_addrolemember 'db_datareader','ClarkKent ';
EXECUTE AS User='ClarkKent'
select * from sys.objects --can NOW see all the tables and views and query them
REVERT; --change back to the superuser
Lowell