Anyone who worries about wireless security and hasn't yet deployed WPA2-Enterprise and VLANs deserves everything they get.
Seriously, an employee plugging in a router? ALARM BELLS GO OFF IN IT ROOM.
An employee sets up a duplicate wireless network with the same SSID?
Weird. None of the connection policies match, so nothing officially supplied by IT will connect to it. And employees "might" connect to it, manually, sure. If it wasn't that the wireless AP's around the place have spotted the intruder, emailled me, triangulated the position of the AP, flooded it off the airwaves, and you'd have to re-type in all your RADIUS / WPA keys into it in order for it to actually let you CONNECT without warnings anyway.
It's just not a problem if you are serious about your wireless deployment. If you're not serious, that's the problem.
I'm an IT guy that works in schools, with hostile users, some of them living on-premises, willing to break all the rules, some of whom have built their own drones to fly around the school premises, and this isn't an issue I'd be concerned about.
For a start, the Cisco Meraki gear I use would "contain" any such network, and it would warn me, and it would even put a little pinpoint on a wireless heatmap if I so desired to tell me where they are.
The rest is just taking a smartphone with a free app, walking to that point, and disciplining whoever I found there / taking down the drone and waiting for someone to come claim it.