A DBA doesn't necessarily need to be a local admin on the Windows server, and depending on their daily responsibilities, a DBA doesn't need to be a member of the sysadmin role in SQL Server either. For example, there are special server level roles for things like managing backups, bulk loading, or creating databases.

Just for piece of mind, one solution would be to have an external process running on another server (for which the SQL Server admin has no control), that pings the SQL Server instance every couple of minutes, checking the status of the audit trace, running a delta check on server options and permissions, and also pulling across a copy of the audit log.