dseditgroup -o edit -a <username> -t user admin
Something like the above will add a user (specified by <username>) into the local machine admin group.
In terms of granting admin based on AD group membership, that's possible. You have to edit the "Allow administration by" value under the Administration tab in Directory Utility > Services > Active Directory. I would advise making this a permanent change in your AD bind configuration that you push to the Macs if you want it to apply to all.
This can also be scripted from what I can see from the dsconfigad manpage, though I've never done it myself in a script or shell command. Looks like it would be something like
dsconfigad -groups "group1,group2"
Making sure to put a comma between each group to be added and surrounding them all in double quotes.
