To create a new System.User object the current user needs to have all the user roles of the new users in its grantable roles.
You can define the grantable roles for each user role (see project - security - user roles). With this setting you define what roles a user with this user role can grant to another (e.g. a new) user.
This behaviour did also exist in 2.4, but maybe you have to configure it again because you changed your inheritance structure by inheriting from Administration.Account.
Go to Project > Security ( I assume that the security level is set to production and the security is checked).
What you have done is possible.