Nothing immediately jumps out at me to get a simple correlation for what you're looking at, here are a few permutations that came to mind:
- What you're suggesting would involve a sourceaccount = *username* vs *user-admin* type of correlation which would be several rules or lines of individual correlation at least.
- Using two groups so that any admin account that modifies the vanilla account of an admin would alert. I favor this approach so that if I lean over and have my buddy do the thing it still shows up as an alert.
- Alert or report on password resets from your admin accounts. Likely you would want to at least report on this, but could use it in conjunction with 2 above to alert when an admin resets any other admin's password.