You can try
-A OUTPUT -p tcp -m tcp --dport 22 -j DROP
ie at the firewall/iptables level.
However, I think we need more info, see the discussion here http://linux.livejournal.com/1855345.html?nojs=1
One of the things pointed out is that if the suers can copy sw onto the box, they can install their own copy of the ssh client and potentially ssh out to a different port than 22, unless that's not a problem in this case.
EDIT: too slow, beaten by Noway