Clusterrole cluster-admin can modify resource namespace, while admin can't.
Why creating namespace needs higher permission?
I think when specifying the subject's type to User instead of ServiceAccount that solves your issue
Try using this command:
kubectl create clusterrolebinding test-sa-binding --clusterrole=cluster-admin --user=test-sa
This will create a role to the user after that try to modify the namespaces accordingly.