You won't be able to do it at the scripting level unfortunately unless you already have a mechanism in place to capture the commands and just want to automate the transfer of them.

In order to really get a handle on keeping watch over your admins with root access, you'll need to hook into something at a much lower level. Solaris has a set of tools called the BSM (Basic(?) Security Module I think) which will allow you to get right down to the individual system calls if you want. Other OS's will likely have similar options avialable to them too. Post your OS here and with a little luck someone will be able to identify what you'll need to look at to get this going.

Another option is to look at tools like tripwire and remote syslog servers - catch the end result of the commands rather than the commands themselves. Provided everything is logged realtime to a remote server that the users in question do not have access to, you can review what they've done. Just remember to have them sign something to promise they won't turn off the logging and immediatly terminate the employment of anyone that breaks this (you will see it disable even if you can't see what happens afterwards).

Yet another option (and my preference) is to cut back the access. Use sudo to grant specific sets of commands to specific groups of users. Use file permissions to grant read-only access to users that only need that. Use setuid menus to provide for the use of more complex programs while retaining logging of what is being done.

I am one of the two senior engineers responsible for over a hundred servers and I don't know the root password to any of my boxen. It's not actually that tough to set up a three-way model to keep your access control, audit, and admin work seperate. You can't prevent someone playing silly-buggers but you can certainly catch them