This is more to do with *where* you are allowing DBA's access to. If you give someone local access to the server (in the dba group) then yes, you are basically giving them the keys (because you could do whatever they want at an OS level anyway).
If you protect that server access (as you should) then sysdba access becomes controlled in the normal manner. For example
--
-- on db server
--
SQL> conn / as sysdba
Connected.
SQL>
SQL>
SQL> create user the_dba identified by the_dba;
User created.
SQL> grant create session to the_dba;
Grant succeeded.
SQL> grant sysdba to the_dba;
Grant succeeded.
--
-- from remote machine
--
SQL> conn the_dba/the_dba@np122
Connected.
SQL> sho user
USER is "THE_DBA"
SQL> conn the_dba/the_dba@np122 as sysdba
Connected.
SQL> sho user
USER is "SYS"
SQL> disc
Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
--
-- on db server
--
SQL> alter user the_dba account lock;
User altered.
SQL> conn the_dba/the_dba@np122 as sysdba
Connected.
--
-- from remote machine
--
SQL> conn the_dba/the_dba@np122 as sysdba
ERROR:
ORA-28000: the account is locked