Who can sign my certificate authority?

In theory, yes, another CA could cross-sign yours. But only if you're already an established CA in general, as the other CA's reputation rests on them only issuing certificates that satisfy the industry-required validation rules and more – and that extends to all CAs that they've cross-signed.

For example, the "Let's Encrypt" intermediates were cross-signed by IdenTrust for the initial few years, until ISRG's own root CA certificates became widespread enough. (Yes, "Let's Encrypt" is not a root CA – ISRG is.)

So it's possible, but if you're just running the operation from your garage, that's very unlikely to happen. I'd say it's actually less likely than just getting your root CA directly accepted in the Windows "trusted CA" list.

As another option, if a customer needs a large amount of certificates, many CAs offer to issue an intermediate just for that customer. In the past, this used to mean you'd just get the private key and everything; nowadays it's a bit frowned upon (due to several cases of such intermediates finding their way into "SSL inspection" hardware and being used to spoof certificates on the whim of some CEO).

So while it's still possible to buy an intermediate CA cert, now you only get remote API access to a certificate that's still managed by the original CA – your company's name shows up in the hierarchy but you're still subject to validation rules.

In other words, CAs tend to avoid doing what you're asking for, and I suspect it's precisely so that their certificates would not be used for purposes like yours. Nobody likes a random program on their computer issuing bogus certificates.