Dear adme,
There are several Security software packages that will monitor unauthorized access to root user which will give email to root.
Also, I don't know what OS version you are using, but in HPUX, there is a config file that allows/restricts su rights, called scfmgr.
However, it is proprietary to HPUX only. Many versions of UNIX don't regulate the su command other than changing the permissions.
Just turing off su to all except root is sometimes impossible to do because some applications, ie Oracle, NetBackup, need su ability to get to root to execute some commands as root.
You will just have to protect the root password closely.