Take a look here: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#access-control-filter
The only thing that you need to do is to limit the access to the delete function to people who have the Creator role. All others will not be able to delete anything.
your function should look like
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
........
[
'actions' => ['save', 'update', 'status', 'activate-all', 'deactivate-all'], // Define specific actions
'allow' => true, // Has access
'roles' => ['Admin', 'Creator'],
],
[
'actions' => ['delete', 'delete-all'], // Define specific actions
'allow' => true, // Has access
'roles' => ['Creator'],
],
[
'allow' => false, // Do not have access
'roles' => ['?'], // Guests '?'
],
],
],
];
}
This is just an example, modify it to suit your own needs. Probably you should not allow an Admin to edit a Creator too as changing the password would be almost the same thing as deleting.