As Mustafa Rawi has pointed out, a member of 'Access Rights' can actually create a new user with the 'Settings' permissions or add himself to the 'Settings' group by activating 'Technical Features' for their account - after activating 'Technical Features' they have access to the 'Groups' navigation point. Funnily enough, if they're in the 'Access Rights' groups, they can't simply edit their own user through the normal Edit User Form and select 'Settings' from the 'Administration' drop down. So the workaround of activating 'Technical Features' has to be used.
I don't get why there is a distinction between the two groups. Maybe this has historical reasons. From a security point of view, treat users from the group 'Access Rights' as having the extended 'Settings' permissions. They're basically super users.
Edit: Actually, it looks like if a user is in any group that has full CRUD permissions for res.users, they can create a new user with elevated group permissions ('Technical Features', 'Settings).