The Human Problem (Social Engineering)
You have teachers casually handing passwords out to students. The first group you need to educate about the use of the network is your teachers. Otherwise, further security measures are pointless.
Presuming you are using a strong password for the WiFi key and using WPA2 (not WEP or even WPA, but WPA2), the wireless network is not particularly easy to break into.
Which means your teachers are giving the password to your students, either directly and intentionally, or through a lax treatment of security (writing the password down, leaving computers unlocked, etc.)
There are plenty of other answers addressing things like MAC address filtering (pointless), establishing clear consequences for misuse of the network, etc.
Some answers also address the possibility of giving students their own network to use.
The Technical Solution
A few answers have suggested variations of setting up a secure network. This can be done with a relatively minimal investment, and can be easily extended to provide multiple networks for different uses (teacher's/admin network for sensitive stuff, student network for classroom Chromebooks and maybe even limited use of students' own devices).
If you have Active Directory (a Windows server) or a Linux SAMBA server, you can set up WPA-Enterprise authentication on your wireless network.
Further, you can deploy relatively affordable access points that communicate with each other and enable you to serve multiple SSID's (more than one wireless network), each on a separate VLAN. Each VLAN is a separate network and cannot communicate with other VLANs except through a router, so the router is where you establish firewall rules to control what can communicate with what. And one network can use WPA-Enterprise while another uses WPA2, or is open but forces authentication via a captive guest portal, and a firewall preventing connections into the admin network.
Just granting the students a network-connected domain of their own may reduce the number of them who are interested in breaching policy and risking their grades or their summers to break into the sensitive administration network.
I'm not trying to sell any particular gear, but as just one example you can get Ubiquiti Unifi AP's for under $70 each. They can serve up to four SSID's, and the controller software is "free" and runs on Windows or Linux and includes a guest portal enabling you to require visitors (aka "students") to log on individually in order to access the network. You can deploy as many of these as you need in order to get adequate wireless coverage, and devices/laptops will roam seamlessly among all of the AP's. They're PoE devices, so all they need in order to function is an Ethernet cable. http://www.amazon.com/Ubiquiti-Networks-UniFi-Enterprise-System/dp/B004XXMUCQ
You can get a real router for $100 that'll push close to a Gigabit per second through the routing engine (actually, for $50 with somewhat lesser throughput if you get the "little brother" version, and yes I'm thinking of a particular brand). Either of these little routers would give you a single Internet connection (or redundant connections if you prefer) and the ability to segment the network into multiple VLANs and control communications between those segments, and present a different DHCP server to each network segment. So you could direct all the student connections through a proxy server that logs activity and watches for sneaky/inappropriate stuff if that's what you want to do.
You can get an 8 port managed ("smart") Gigabit Ethernet switch with fully adequate VLAN support for $30, or a 24 port version of the switch for $80. For the scale and budget you're dealing with, you don't have to spend thousands of dollars per device to use top-shelf HP Procurve or Cisco switches and super-expensive wireless devices with dedicated hardware controllers. Those are great, don't misunderstand, but if it isn't in the budget, then it isn't in the budget.
For a few hundred dollars, somebody with a little bit of networking knowledge and access to online documentation and forums could set up a robust network.