There is nothing to stop sa from doing anything.
While DDL triggers can be good to audit what is going on at the server and in the databases, they are not good for preventing actions. Particularly, one must understand that they fire after the action. A DDL trigger to prevent indexes being created during
office hours is entirely contraproductive.
From what you describe, you need to tighten security. Rename sa, change the password, write it down and lock it into a safe.
And for the rest, be considerate with the permissions you hand out. Although, there is always the problem that too much security goes in the way, and this is why auditing is a good way. But for auditing to work, you need to get sa and all other anonymous
accounts out of the way, so that everyone can he held accountable for their actions.