If you change the line shown above to this, your wheel group members will not be able to run commands as other users:
%wheel ALL=(root) ALL
Of course, even this syntax does not preclude the use of "sudo su". The su command is, after all, just another command. Anyone who runs the sudo su command would switch to the root account and, from there, work as root without having to prepend each command with "sudo" or have the commands logged. With sudo no longer reviewing the commands that are entered and nothing gettinglogged to /var/log/secure, our wheel users could then operate as root without any further control. The same problem occurs if your admin runs "sudo bash" or "sudo sh" (or sudo followed by the name of any other shells you might have on your system).
To outlaw the use of "sudo su", "sudo bash" and similar commands, you could define a command alias that includes the commands you don't want to be available via sudo:
Cmnd_Alias BANNED = /bin/bash, /bin/sh, /bin/su
and then include the command alias name in your %wheel entry like this:
%wheel ALL=(ALL) ALL, !BANNED
Note that this line reads "all commands except those that are in our banned list" (! = NOT). When sbob next tries to "sudo su", he would get the following reaction:
[sbob@penguinista]$ sudo su [sudo] password for sbob: Sorry, user sbob is not allowed to execute '/bin/su' as root on penguinista.
If our admin, instead, is restricted to issuing commands with sudo to run them as root, he or she would still likely be prompted to enter his or her password only once every five minutes -- the default for most installations of sudo. This timeout could be changed in the /etc/sudoers file with the timeout option. However, re-authenticating every five minutes does not seem like too much of a burden.
Not having a timeout or having a very short timeout would likely be a hindrance to work getting done. I don't know about you, but I would find the process of entering several dozen commands as root by prefacing each of them with the word sudo and then having to respond to a prompt for my password tiresome as well as distracting, never mind how much it would slow me down. The timeout limit makes sense to me and gives you the ability to capture the sudo user's commands without overburdening him or her with repeated requests to re-authenticate.
NOTE: Banning "sudo su" and similar commands could backfire if your admins cannot su to the root account using root's password. You might want to be sure that your most trusted admin can "sudo visudo" (edit the /etc/sudoers file as root) to ensure that you can easily change the configuration of this file if ever it doesn't work for you.