Bottom line is that if someone in IT has access to the files/database, then in theory logs can be edited. That is a professional trust issue for your employees/employers.
The way around it, if it is an issue, is the same way a decent accounting system handles cash - split the functionalities: the people controlling the cash in/out are not the people recording and approving the accounts etc. Those handling the cash have no responsibilities/power over the recording of the income/expenditure and those with the recording function do not have physical access to the cash.
ie front-end site admin is the one who does everything on the UI, backend server staff have access to the files/database. Backend staff have no interaction with what goes on at the front end, the students or the teaching staff and so no incentive to edit anything in the logs, while the people who interact at the front-end are not given the permissions to access code/database.
OR if you have to have your main Site Admin as the IT person (there are after all site wide settings that need server side knowledge to set in the front-end), do not share that role any wider, use the Manager role for other staff needing that kind of access and control it with the capabilities.
If trust is such a major issue, you could also keep and audit server logs separate from the Moodle ones which record any access and changes to server files/database etc. It really all does come down to a matter of professional responsibility and trust and where your institution wants to draw the line.