Because someone is in a position of trust, with privileges raised to do their job, doesnt mean you cannot do anything if the trust is breached.
You need to account for the commands and time spent on a box that an admin might do, so that if there ever was a breach of trust there is sufficiently strong logs to detect how and when and what happened. If people know that their work is (if needed) being recorded theres less incentive to do damage that might be criminally motivated.
You also need to detect and be reported of activity that would not typically fall within the boundaries of an admins daily routine (such as deleting large quantities of files perhaps, or execution of of programs (like shred) that you wouldn't typically use.
You have not mentioned the platforms you are working with, or if your talking about a platform - or just some CMS but Linux for example has audit, you can set this up to monitor virtually anything you might want to watch for. It takes a little more creativity to audit from a thresholds perspective (where work is permitted but too many events at once is a threat) but it can be done. Audit can be locked once you've finished setting up the ruleset meaning the box needs to be rebooted for you to change the ruleset at all.
There are also pam modules for linux (like pam_tty) that can log literally every character a user pressed into their terminal (including non-space characters like escape and backspace) which can be useful to help determine the impact of incidents that you might be after avoiding.
SELinux on Linux on newer distros (typically thinking enterprise linux 6) has flexible support for role based access controls, which can further restrict an admins abilities exactly down to least privilege needed to do their job. Learning SELinux to the extent you can really do this efficiently might be a commitment though you might not have the time for - although I certainly recommend learning about Mandatory Access Control policies, especially for situations like this.
Transport these logs to a remote machine, if necessary one nobody has access to without some form of local authorization (like using pam_usb). Theres no point doing logging just on the audited box that a potential admin has access to.
Detection can be more difficult. Prelude is a open source security application that offers some stuff you might find of benefit here, other than that rolling your own scripts might help too - depending on your skills and experience in such things.
Finally, and more importantly - people who are given positions of trust like this should be trustworthy. This is purely a management problem, but screen your guys effectively. Dont hand the keys to the city to some bloke you pulled in off the street without doing at least some background checking.