Deploying to Production is the highest level permission. If they can deploy to Production, they can also create a deployment record. However, if you want, you can make it where they can ONLY deploy to Production, if you only want them to handle that final stage of the release.
Firstly, in order to provide any team members with the ability of deploying to production, the Team Owner has to share visibility with that team member.
When sharing that visibility, you have the ability provide a team member with a "Deploy" or "Validate" Access Level. In the same sense however, you have this sharing ability on every org you add to Essentials but you can also restrict (or simply, not share) an org with that same team member.
So simply put, to solve this use case, give that team member the Deploy access permission for the production org but refrain from sharing the other sandboxes in your pipeline with that team member.