Or try another approach ... (Score 1)

How can I log so that I have a trail left to examine?

This question is easy to answer: turn on logging as much as possible. The only downside is that anyone with root access can alter or delete those logs. Process accounting as a means for logging what root is doing, is easy to implement but very hard to use. PA only logs when a command finishes, so most of the time you will have all the commands in the reverse order they were executed. And it doesn't log arguments. So it certainly does not give you a bullet proof solution. The best solution here is to try logging to a remote computer, syslog has facilities to do just this. Using sudo, a well known tool on Linux, is also an option. Using sudo however is not that easy as it seems. You have to carefully enumerate the list of commands the user can execute. Enlisting "vim" for instance, opens up sudo to every command since in vim you can start a shell as root in that case.

Another interesting point to mention here is that it is probably better to prevent then to cure. Abuse of the root account, a break in, ... can be made very difficult but not impossible. Limiting the damage in such a case is probably the most important step to take. Make sure that whenever such an event occurs, you can go back to a safe and functional server using backups or anything similar.