Jamf Protect allows you to collect logging information via analytics. We worked with Jamf Support team and they gave me a custom predicate to build my analytics.
$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.sudo"
While this seems to capture all sudo activity, it's capturing too much and need a way to adjust this further to filter out some of the noise. The issue is that we are also using Jamf Pro policies with scripts to control CIS controls. Many of those controls require sudo commands so it gets pretty chatty. We are not ready to use Splunk just yet but it's getting closer if I can't find a good filtering solution. Would love to hear from the community. Thanks in advance!