dscl . -read /Groups/admin GroupMembership | sed 's/^.*: //'
Will give you the members of the admin group on the Mac. You should be able to check it for changes. Then if a new admin account is created you can be informed of this change.
I use this to compare to a list of authorised admin accounts, and demote any not authorised back to a standard account. The script also emails me the relevant information, so that I can investigate.
I haven't investigated logging admin authentications.
