The question of monitoring AD is ancillary to the problem you appear to be having. Firstly are the events you wish to capture documented and published to the relevant people. So everyone knows what is correct and incorrect usage of systems, and the scope of their roles.
The events that you want to capture should be aligned with the governance of the business and IT resources. Simply going into the windows security logs and Active directory changes looking for problems is mostly a fruitless exercise.
Have you made a concerted effort to remove access to domain wide administration level permissions ie Domain Admin or Enterprise Admin. The permissions aren't necessary for most admins and proper delegation, issuing, revocation of permissions from admins should they need access to something centralizes security and brings visibility to activities of admins.
And in step with the above, an exhaustive scrub and search for delegated permissions on objects is a must. Poor visibility to such assignments on object in the AD management tools most admins would be familiar with can let this absolute huge one go monitored.
Beyond some of these suggestions to tighten the operational security of the companies assets, may I also suggest that you begin documenting from a security stand point. What you want to know about, and what needs securing and monitoring and developing the systems and procedures to make it all visible, measurable, non reputable, reviewed and so forth.
The data deluge out there is huge, solving the problem by hoovering and searching isn't the way when it comes to security, especially insider based vectors and actors. My opinion I'm sure the NSA disagrees with.