We use EFI passwords to prevent users from using the boot selector or single user mode and a number of other things. If you really want to prevent tampering from curious types, you'll need to do it.
Also, try this script as an Extension Attribute, just change the "administrator" and "sysadmin" to reflect any names of your known local admins. Be careful though. If you grep for a generic term like "admin" it could end up excluding any accounts someone created such as "myadmin" There's a way to make sure you;re getting exact matches, but it escapes me at the moment. Hopefully your local admin accounts aren't too similar to anything a user may have created.
#!/bin/sh
## Get list of users other than known admins
userList=$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/egrep -v administrator|sysadmin)
## Cycle through each and determine admin status
for i in $userList; do
if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk {'print $1'}` = "yes" ]]; then
/bin/echo "<result>$i is an admin</result>"
else
/bin/echo "<result>No extra admins found</result>"
fi
done
