They usually need local admin to install, you can and should restrict access using RBAC.
You can use an AppLocker policy: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
Defender for Cloud (Defender for Servers can alert you of unwanted software installs on servers using Adaptive Applicaiton Control.
Defender for Endpoint can leverage Application Control policies to block installs form unwanted sources. There is also an MDAV option to block Potentially Unwanted Applicaitons.
Endpoint Manager and Intune can be used to inventory software to cleanup after if needed.