was this exact scenario. NDS (and possibly other directory services) has a concept of an "Organizational Role" which is the source of the privileges, rather than the actual user him or herself, and the user's account in the Tree is given the "role" of ... say, "Admin." There wasn't any privilege outside of that role, the user accounts were all pretty well stripped bare and derived all ability to function from the role they were said to "occupy."
How does that help? Well, if LDAP or some other free-as-in-beer-and-speech directory service will allow your organization to control that level of access better than granting superuser/sudo privs to particular admins, who could in theory leave behind shadowed user accounts, that might be something worth looking into. I haven't been a NetWare admin in several years, and haven't followed their current progress with NDS, but I do recall that for a while there was a version of it that would sit on top of Linux/Unix as well as Windows and Mac workstations, and Linux/Unix and Windows servers, and could be managed from most of them as well.