In my Slackware system, which does not use PAM by the way, it's perfectly possible to support the "wheel" group. In fact, the group is already present in /etc/groups and you can add users to it. Later, you don't need to change the permissions of /bin/su. The check can be run from the program itself if you edit /etc/suauth and add a line like this:

root:ALL EXCEPT GROUP wheel:DENY

But I think this may be due to the "su" program not being GNU su, but the one from the shadow suite. :)