There are two ways to allow users to only adminster users: 

1. The profile permission of Manage Users. This is a blanket permission and a user with this permission gets to work with any and all users in the system.

2. Delegated Administration. This is a more fine-tuned feature that allows you to limit which users and profiles a user admin can work with. You can even dictate a subset of objects that this administrator is allowed to modify (or none). 

If I were considering my approach, in a large org, I would always take the time to work out a strategy of delegated administration. Just granting manage users to any and all comers really risks abuse. On the other hand, in a smaller org, or where less mission-critical data might be at stake, using the blanket profile permission is the simplest way to proceed. 

In reality, most orgs will probably want to avail themselves of both features depending on the use case. 

There also exists a third option: SSO federated authentication with SAML and just in time provisioning. If you are using the SAML SSO option, SAML and Salesforce support a feature that allows a user to automatically have their SFDC user provisioned for them the first time they attempt to access salesforce. If you already have an identity provider that supports SAML, setting up federated authentication is not difficult to set up and can make your users very happy as they will use their standard network password to access salesforce.com instead of having to learn a new salesforce-specific user ID and password which they may need to change on a regular basis. 

Good luck!