There's no way to create such a super admin account that can't be modified in FusionAuth.

Options I can think of to achieve something similar:

make sure you have database backups (a good idea anyway) and recover from your last backup if an admin deletes/locks the primary admin account. Or just investigate the FusionAuth database such that you can flip the bit in there if anyone ever locks the primary admin account. create a second tenant and create a tenant scoped API key. Then build whatever user management tooling you need using that API key. The super user will remain untouched and inaccessible in the default tenant. limit people to the roles that they need and never provide anyone with the user_deleter or user_manager role. The user_support_manager role may be helpful to you: https://fusionauth.io/docs/v1/tech/core-concepts/roles/

Only the last one allows users other than the superadmin to access the FusionAuth admin UI.

Feel free to file a feature request explaining your desired functionality in more detail if you'd like.

If you have an API key configured, you can use the User API to modify a password: https://fusionauth.io/docs/v1/tech/apis/users/

FusionAuth does not have a built in email server, so you need to configure SMTP in order to use the forgot password option. (Of course, you'd need to have set that up before). See the email tab here: https://fusionauth.io/docs/v1/tech/core-concepts/tenants/#email

If you have a FusionAuth cloud account, open a support ticket.

There are no other supported options. You could try to modify your database if you have direct access to that, but this is unsupported.