Note that SQL Server logins do not map to AD groups. In option 1 you are still creating a Windows authenticated login, you are just associating it with an AD group instead of an AD user or a local system user/group.

If you are using Mixed Mode authentication you can setup SQL Server logins for specific individuals who will be the SAs. Otherwise the AD group is the way to go and just monitor group membership as well as permissions on the instance.

There is not going to be a 100% way to lock it down from AD Domain/Enterprise admins if the SQL instance is on a domain. Even if you lock it down where AD admins do not have access if they have local admin privileges on the box they can startup the instance in a way where they will have access (commonly used if access to an instance is forgotten/lost).