Using the task scheduler would seem to be the simplest solution. You'll need an account that has admin access on the workstation. WMI also needs to be available. Here is a script that you can use as a starting point. There are a few minor issues with this technique. If the user is logged on when his account is added/removed from the admins group, a logoff will be required to implement the change. So if the user is logged on, and has admin access, that logon session will still have admin access even if the account is removed from the admins group. And if your user is tech savvy, once he has admin access, he could delete the task that removes his account from the admins group. So you might want to add some functionality to verify that the "remove" worked.
# This task must be run with an account that has admin access on the remote machine,
$user = 'testuser' # the account to use. can be in the domain\userid format
$computer = 'test10' # the machine where access is to be granted.
$from = (get-date).AddSeconds(30) # when to grant the access
$to = (get-date).AddMinutes(30) # when to remove the access
$session = New-CimSession -ComputerName $computer
unregister-scheduledtask -TaskName "Admin-Add-$user" -confirm:$false -CimSession $session -ErrorAction SilentlyContinue
$ac = New-ScheduledTaskAction -Execute "net.exe" -Argument "localgroup Administrators ""$user"" /add"
$tr = New-ScheduledTaskTrigger -once -at $from
$ts = New-ScheduledTaskSettingsSet -StartWhenAvailable
$pr = New-ScheduledTaskPrincipal -LogonType ServiceAccount -RunLevel Highest -UserId "NT AUTHORITY\SYSTEM"
Register-ScheduledTask -TaskName "Admin-Add-$user" -Trigger $tr -Action $ac -Settings $ts -Principal $pr -CimSession $session
unregister-scheduledtask -TaskName "Admin-Remove-$user" -confirm:$false -CimSession $session -ErrorAction SilentlyContinue
$ac = New-ScheduledTaskAction -Execute "net.exe" -Argument "localgroup Administrators ""$user"" /delete"
$tr = New-ScheduledTaskTrigger -once -at $to
$ts = New-ScheduledTaskSettingsSet -StartWhenAvailable -DontStopIfGoingOnBatteries -WakeToRun -AllowStartIfOnBatteries
$pr = New-ScheduledTaskPrincipal -LogonType ServiceAccount -RunLevel Highest -UserId "NT AUTHORITY\SYSTEM"
Register-ScheduledTask -TaskName "Admin-Remove-$user" -Trigger $tr -Action $ac -Settings $ts -Principal $pr -CimSession $session
# https://iamsupergeek.com/self-deleting-scheduled-task-via-powershell/