Monitoring "root-level" commands

My Special Security Team, not being UNIX/Linux savvy asked me if I could put into place audit rules that monitor "Root-Level" commands. I don't know of any specific identifier for such a term, and the closest thing I could come up with was monitoring those files that fall under /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to approach this task? I figured I would use a rule such as: -w /sbin/ -p rawx -k watch_root_commands (I used rawx, to account for replacement by a hacker) Thank you in advance, Warron French, MBA, SCSA