In v8.0 you can add users to Great Plains without being logged in as SA. Unlike previous versions, there is an option to create Non-SA administrators and get some separation between database and application security.
From page 27 of the MBS Planning for Security in Great Plains guide:
2. Assign the specific Great Plains administrator(s) SQL login account to the SysAdmin fixed serverrole using SQL Server Enterprise Manager.
So by assigning and existing GP user to the System Admin role in Enterprise Manager they can add users without being SA.
The full document can be found at https://mbs.microsoft.com/downloads/customer/GreatPlainsSecurity.pdf if you're a customersource member.
Is this perfect, no. It requires a SQL security and most likely, the help of your resident DBA. Also, the user would still have elevated access to the underlying SQL tables. BUT they wouldn't have access to non-GP databases on the same server. So the control is at least restricted to within Great Plains, whereas giving SA access, gives System Administrator access to any databases on that server installation.