(Depending on your setup these may need to be made in the domain controller and domain security policies as well.)

1. Disconnect the system hosting the admin account (I assume the PDC) from the network.

2. Review active directory users and groups > builtin > administrators > properties > members.

3. Auditing, at least: group policy > computer configuration > windows settings > security settings > local policies > audit policy

Audit account logon events: success, failure
Audit account management: success, failure
Audit policy change: success, faulire

4. key stroke recording:
group policy > computer configuration > windows settings > security settings > local policies > security options >

Message title for users attempting to log on: Notice:
Message text for users attempting to log on: Some legal message that suits you exact needs but should cover that you are making use of all auditing techniques availible to you, including but not limited to keystroke recording. Also discuss that the logs from the audits may not only be turned over to any law enforecement agency you see fit in the event of a compromise but also the log data may be reviewed by library personel during routine system upkeep.

5. change the admin password

6. logon to each client system with the new admin account (this is only needed if clients have logon cache enabled)

there are more extensive guides availible from places like cert:

http://www.cert.org/tech_tips/win-UN...ompromise.html

which include things like reviewing for trojans and what not, you may wish to talk that route, but if you just feel that someone has the admin password the 6 steps I gave you should be comprehensive enough to fix the problem and track down the culprit as well as prevent future such issues.

best of luck,

catch

Edited:
I just noticed that you are in hong kong, the legal notice about key logging may not be needed.