root and the managed environment

OK, another open ended question. While writing my grand setup script it was pointed out to me that the setting of the root password and then disabling root was pointless in leopard. I tested and low and behold, its true. Any local admin can reset the root account password without knowing it, and can activate/deactivate root again without knowing any more than their own password. So, aside from setting root to not be able to login, what do you do to control it? I know, most say they don't let their users in as admin. That is not an option for me. I am wondering if maybe there is an access list for enabling/disabling and resetting the password of root. Sudo has such a list, but its built into the command, so I am not hopeful.