My approach to being a DBA is that I am here to protect the companies data. These to me means that no one ever uses the sa account on any system that I managed. I told this to the management team before I was hired.
As the DBA you are not always popular. You are there to protect the money, which is exactly what information in a companies database is.
Take the hard line of changing the password, then rename sa to something else (good security practise anyway), any only use that account in an emergency. Limit right on databases to only what is required and even question that access.
If you do not protect the data and something happens to it, you are the one that is in trouble. Take the hard line, and in the log run you and your company will be better off for it.
Stacey W. A. Gregerson