Limited Admin Privileges/Specific Elevation of User Accounts
I'm hoping to create an account on my laptop for my roommate. I don't want him to have a full admin account, but he knows enough about computers that he could troubleshoot networking, and I want to enable him to install programs on the system. I'm not sure what the best way to go about creating an account which can elevate itself for specific tasks; I've never modified my sudoers file before, and I don't know how to do so to grant him access to the privileges he should have. I don't want to force him to use Terminal; I'd rather have him be able to enter a username/password for Admin privileges when prompted, whether that's his standard user account or a limited Admin account, but I want to make sure that account DOESN'T have access to modify anything in Users & Groups, can't create accounts with dscl, can't modify the keychain or hard drive partitions, etc.
Am I right in thinking the sudoers file is the best way to approach this? How do I find out what processes to allow access to? Does Network Preferences, for example, have any dependencies he will also need to be able to run? Also, is there a good starting point/article on modifying the sudoers file for this type of thing anywhere? <<clearly googling the wrong thing because my searches just tell me how to add someone to the sudoers file>>
OS X Mountain Lion (10.8.2)