Another issue is when a domain group (ie: MYCORP\ProductionDBA), which is a member of SYSADMIN sqlserver group, has a new domain member added. That doesn't trigger any event or meta data change in SQL Server.
From within SQL Server, you can list members of a domain group like so:
exec xp_logininfo 'MYCORP\ProductionDBA','members';
Query accounts, domain groups, and members who have admin membership.
http://www.sqlservercentral.com/articles/Security/76919/
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho