Haven't done it on AIX (I have on Linux, HP-UX and Solaris) but typically you'd install sudo then modify the sudoers file using the visudo command.
Basically you setup something like the following in sudoers:
# User Aliases
User_Alias <UALIASNAME> = <login1>[,<login2>] [...]
Here you decide what user alias name to give (e.g. you could call it SPECUSER for "special user" or "billybob" just because you like that name. The login ids are the ones that appear in /etc/password. You can have more than one separated by comma. (Note the brackets are not iteral so shouldn't appear in the file.)
# Command Aliases
Cmnd_Alias <CALIASNAME1> = /usr/bin/su - <userid1>
Cmnd_Alias <CALIASNAME2> = /usr/bin/su - <userid2>
Cmnd_Alias LSOF = /usr/bin/lsof
Here again you decide the alias names you want (we typically base these on the user id we want to allow su access to) for example you might put:
"Cmnd_Alias ORACLE = /usr/bin/su - oracle". The 3rd line is how you grant access to the LSOF command. (The aliasname doesn't have to be LSOF - it could be anything you want so long as it is unique within the suders file.)
<UALIASNAME> ALL = <CALIASNAME1>[,<CALIASNAME2>] [...]
Here you use the user alias you created and add all the command aliases you want logins in that user alias to have access to. (The "ALL" means all machines but unless you've defined other machines in the sudoers file it doesn't actually give access to any other machines.)
So your final grant might look like:
SPECUSER ALL = ORACLE, LSOF
That would give the logins in SPECUSER access to "su - oracle" and "/usr/bin/lsof".
Note that rather than giving "sudo su - *" and excluding all other user IDs you should do the oposite. Give ONLY "sudo su -" to the IDs you want. You can create a Cmnd_Alias for each ID the user should have access to. By doing this you prevent them from gaining access to a new account they shouldn't have access to later. Personally I can't see any reason any user (other than system administrators) should be allowed to sudo to all other users - it should typically be reserved to admin accounts. If you allow this person to sudo to fred's account for example he might do things as fred that would be logged as being done by fred for which fred might get fired. We do have multiple administrative accounts that we allow users to access as shown above but none that allow one "real" user to become another "real" user. Note that there is a security log for sudo so you can tell when they become another user but won't see what they did once they became that user. However, if you really want to do it the way you said you can in fact negate access by doing that on the grant line.
P.S. I thought AIX had some built in tool that granted root access like sudo but accessed via smitty. Haven't used that but have a vague recollection of seeing it mentioned somewhere.