For starters, there's no easy way to control which users an admin user can have access to or create. They either have the right to perform an action on users or not, and it applies to all users.
It might be possible to create a plugin to check a custom permission against the Context access credentials of an about-to-be-edited user (possibly in OnUserFormPrerender) and forward the admin somewhere else if they didn't have the permission, but it wouldn't be easy.
Worse yet, since Users don't have a Context setting, that couldn't stop them from creating users, so you'd have to have code that acted when they tried to save a Context Access ACL entry giving users access to a particular context. If you tried to give users a Context setting (say, as an extended field in the User Profile), they could change it themselves.
That would probably mean extending the modUser object and adding a context_access field that only certain admins could edit.
Good luck.