Why do external consultants (is that correct?) have your root passwords? change the root password, setup sudo for their accounts.
If you dont want to for somereason you could change the owners(group and probably owner) of su and put all those who need to su into that group, then allow owner/group to execute but not the rest of the world.
Just some suggestions