Your problem cannot be resolved through technical means. It requires a management control too.
You need to have a good logging/monitoring mechanism. This will support management controls.
Creating a good logging mechanism is out of scope of a quick answer
1. Log to a remote computer where local administrator doesn't have access.
2. Use Hardware security modules and store signature keys there. Then use them to sign access logs. In this way administrator cannot change signing keys and hence cannot delete/modify the logs undetected.
3. Configure Windows security logging appropriately.