Add a dedicated role named "privileged-community-creator" which can be used to assign the
permission to create private communities only.
In the current implementation using community policy, you can restrict the community types which users in the role "community-owner" are allowed to create (https://www.ibm.com/support/knowledgecenter/en/SSYGQH_6.0.0/admin/admin/t_admin_communities_prevent_user_creation.html). For example, you can limit the types to "public" and "publicInviteOnly".
Users have to be assigned to J2EE role "admin" to be able to create all types of communities including "private". However, being assigned to J2EE role "admin" includes other (unwanted) privileges.
Having a dedicted J2EE role "privileged-community-creator", you could easily assign the permission to create private communities to a group without assigning all administrative privileges.