I would like to provide full administrative access to servers within the domain to another admin, with a single exception: the administrator should be unable to create new administrator accounts.
I have looked at the options available through control delegation, but am not quite sure how to do what I need, as control delegation appears to be OU-specific.
Add the user account for this user to the local Administrators group on the servers. You can do this with Group Policy Preferences in a domain linked GPO.