This is an integrity problem, not a technical problem. A system administrator can (often) technically do anything they like. No matter which tools they use.
So what can be done about this?
- Limit which users can become root (sudo).
- Log what system administrators do. And log centrally. Our tools log to the local syslog service.
- Ensure system administrators know what they can and cannot do. Consider it a policy violation to bypass compliance measures.