A Database DDL Trigger for the events ADD_ROLE_MEMBER or DROP_ROLE_MEMBER might give you the oversight you want. Note that a member of db_owner or sysadmin can always circumvent the triggers by disabling and enabling them or dropping and re-adding them before and after they make changes.

Another option that could go hand-in-hand with a DDL Trigger or be a stand-alone solution is to take snapshots of the role members periodically and compare it to the last snapshot to see if anything has changed. This will not tell you who made the change though, just that a change was made.