Hey,
Unfortunately there is no way to restrict admin account. It would have access to everything including overriding dynamic data masking.
As for the 2nd part, you can enable auditing to logs all logs and than analyse it :
medium.com/@harioverhere/identifying-who-accessed-azure-sql-using-audit-logs-f2ef51de2df9