Monitor someone on server

You could give them an unprivileged account that has sudo access, but in /etc/sudoers you only give access to the command rootsh.

rootsh logs everything that takes place in a root shell, and you can push the logs to syslog and have them sent to an external server immediately.

It isn't bulletproof, but you must trust this person to some degree to even entertain the idea.

Consider another approach, using a Configuration Management tool. One of which might suit your needs and is more powerful: Puppet.

Let the guy put all configuration to be done in a Puppet file. Advantages:

• A very robust way of managing the configuration changes. All is in a file, rather than describing what has been done.
• You will stay in control, as it lets you...
  • try the configuration on another machine and verify it.
  • decide to apply it whether it looks good or not.
  • pick the moment in time the changes take place
• Reduce the time the changes are happening. It's automated.
• You can repeat a similar configuration very easily just by customizing the configuration definition.

It boils down to this: the person responsible for the actual application configuration does not need shell access and it provides a way of separating responsibilities of him and the system administrator(s).

Update:

Big practical disadvantage too: it's a big elephant to smash this mosquito, so it might not fit your current situation. Not everyone is familiar with Puppet and low-quality Puppet definitions are worse than having a script setting it all up.

This leads me to another similar but simpler approach: let the guy develop a script that runs the necessary commands to change the configuration. It has some of the advantages listed above, yet does not require that much of an elephant of a tool.