Here is my development teams, there are some naughty developer doing something bad things by themselves like create db, create jobs....etc~ some even know the sa password

apart from blocking/disable sa, change sa password, am I able to create DDL trigger on SERVER, which this trigger can only modify/delete by the creater , not SA

It depends on the permissions which the developer do have. If they have SysAdmin permissions, then there is no way to protect Server/DB Triggers or other object. If they have not SysAdmin role, then you could explict deny alter permissions on that Trigger for all other users then DBA.

There is nothing to stop sa from doing anything.

While DDL triggers can be good to audit what is going on at the server and in the databases, they are not good for preventing actions. Particularly, one must understand that they fire after the action. A DDL trigger to prevent indexes being created during office hours is entirely contraproductive.

From what you describe, you need to tighten security. Rename sa, change the password, write it down and lock it into a safe.

And for the rest, be considerate with the permissions you hand out. Although, there is always the problem that too much security goes in the way, and this is why auditing is a good way. But for auditing to work, you need to get sa and all other anonymous accounts out of the way, so that everyone can he held accountable for their actions.