If you have reason to believe a person with root-level authorizations is abusing their privileges, you should enable auditing for that user to determine if they are performing questionable actions. If the user has the root password or the su authorization, event ``L. (Admin/Operator Actions)'' will show the actions done that require high-level authorization.