Has anyone had any succes or tips for logging when the administrator logs in.

I have an event that logs security event 538 and security event 540.

Its really just to see if anyone is logging in as administrator. (some have the password but are not suppose to use it unless emergency.) However I get logins events being emailed to me via the eventlog software that Im sure are not users logging in. The trouble is that some processes that run show up as administrator logins. It seems almost impossible to distiquish between an actual console or active directory login of the administrator and say when some myserious processes are running that seem to use that permission.

For example I have a login every night at the same time eg 12:40am, indicating that its some process. (Im sure at this point that its not a person or hacker). Im not even really sure what process. Cant tell.

I have even got it filtered to only email me for login id of 3 which is suppose to be primarily logins. However my reading tells me that this can also be something accessing something on the network from a remote computer.

Anybody got any help on how to log only activity that is an actual login of a person somewher on the domain using the administrator username and password.  I really need some granularity.

thanks