To avoid accidental granting of SA, go to your server's web admin page and change the permissions of your SA's so they can not grant SA from with in TS. Stop the server, go to your config file for TS and change the http admin port from 14534 to something totally off the wall and then restart the server. Then log on as "super admin" to the web admin page again and create 1 new "Super Admin" account that has a totally different name that the one you use on TS and create a complex password for it (using symbols, numbers, lower case letters and upper case letters). After creating that account, logoff the web admin page and re-log on as the new "Super Admin" and DELETE ALL OTHER "SUPER ADMINS".

That will help you out a lot. If you need to add SA's you can do it from the web admin or temporarily enable the option and disable it again once you granted the SA.