• If the windows group like 'MyCorp\ProductionDBA' or 'Builtin\Administrators' are members of SYSADMIN, and user account 'MyCorp\JohnSmith' is added to one of these groups, then he has sysadmin privillage. There is no 'CREATE LOGIN..' or 'GRANT..' operation, and as far as I know, there is no profiler event, extended events, trigger, or meta-data change within SQL Server that could be leveraged to alert this at the time the domain group membership is added.

    However, one thing that could be done is to create a LOGIN trigger that checks the sysadmin privillage of an account at time of login and then compares user's account name to a table containing list of known admins.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho