There’s no way to limit the roles shown in the UI, but you can prevent inappropriate roles from being saved by using the onSaveUser extension function.
If you want to limit what’s shown, you’ll need to create your own entry form, using the scripting functions for system.user to get the roles and save the new user.
Depending on your overall needs, @KathyApplebaum’s solution is probably better, but another option that works well in some circumstances is to create an additional user source that includes only the roles you want available. Then setup soft fail-over between user sources.
As an example, an Active Directory user source could soft fail over to an internal user source that is managed by a local manager to create local users. This user source would only have roles you want the manager to assign. This in turn can soft fail over to the default user source with admin user for access if something goes wrong with Active Directory (where other admin users are located).