It is possible, and you cannot prevent it.
Most devices will allow administrators to backup or extract certificates, including the private key. Your perception of security is not in line with the actual, real world practice.
Someone (or some group) must authorize the devices. Typically, the technical authorization mechanism is handled as a completely separate process from the management review and approval. These processes are usually performed by two entirely different sets of people. The key element here is trust.
So how do you have any security at all?
Your only choice is to trust your administrators. In the interest of robust security, however, you always verify when you are forced to trust.
How do you verify? You can review logs from your 802.1X or RADIUS network devices for problems. Does the "same" device have an active connection in multiple places at the same time? Does the "same" device show up with many different MAC addresses when it only has one NIC?
If you have an asset tracker or a vulnerability scanner, you may detect rogue devices this way as well.
The bottom line: You should perform regular monitoring and enforcement of the security policy, or eventually things will go as badly as you fear.
What about things you can't trust?
Some devices are inherently untrustworthy. E.g., your admins might not have complete control over a personal smartphone connected to the network. In that case, it is best to put those devices on a restricted VLAN.
You should always setup monitoring, detection, and barriers between the important things and the untrustable things on your network. If you ever find that it is impossible to do so, then your organization has a serious risk that must be escalated to management for resolution.
