Make sure you are making a clear
distinction between the sa account and the sysadmin fixed server role.
By using Windows Authentication you can block ‘sa’ from logging in at
all.

To keep the local admin from getting access to the database
(or server) you need to grant access to the server to another account
(someone needs to be a sys admin) and put this account in the sysadmin
role. Now you can safely remove the ‘BUILTIN/Administrators’ login or
simply remove it from the sysadmin role.