The default approval policy for "New Active Directory security group" is "Approval of AD group create requests". This means the Employee's manager will need to complete the group creation request, adding Name, Container and Group Type.
Thus, the manager requires the "Target systems\Active Directory" application role or an equivalent to complete the group creation.
Once the manager submits the request for approval the execution of the group creation will continue.
For a custom workflow in this process, it's important to ensure the Process Execution step is present, last in the workflow, with the Event for ADGROUP_AD. Otherwise, the group creation will not take place: