That sounds like an offence of company / organisation policies - should those exist. Time to establish at least some sort of rules, no?
Why don't you in
sudoers prohibit
su for anyone but root so
sudo su will fail and be reported?
And, BTW, analysing reports for offences can be made an automated task...
EDIT: Re-reading your post, I see that some root access is necessary. This is exactly what
sudo is for, not
su.
man sudo:
Quote:
sudo allows a permitted user to execute a command as the superuser
So, you should list the allowed users for execution of a certain limited set of commands, which, btw, should be the method preferred over what you presented above.
man sudoers:
Quote:
Note, however, that using a ‘!’ in conjunction with the built-in ALL alias to allow a user to run “all but a few” commands rarely works as intended
All man info from an Ubuntu linux 17.10 system...