Wow, this is a read and a half, I think I'll stick to the pure techncial bit as I work in IT within schools so this is pretty much by bread and butter as the kids love trying to get into our systems / machines in ways they shouldnt. Ultimately as many others have said the fact you have given him an admin account essentialy means its game over. The whole point of admin is that it lets you change things and you are going to be immediately on the back foot trinyg to work out, how, it happened, rather than truly stopping it. I'd suggest you woudl be better of doing the below.
1. Enable bitlocker on the machine so the boot drive is encrypted, this means that even if something like a linux boot CD / pen drive is used, it wouldn't be able to interact with the bitlockered volume to make any changes. Ensure they bit locker password is long and dont save the key somewhere the kid can access
2. Put an admin password on the BIOS of the machine, ensure its different and dont let the kid have it.
3. Within the BIOS disable the ability to boot from USB, CD, Network, everything, except the internal drive itself. Ensure things like secure boot, and the TPM are enabled.
4. Change the kids admin account to a standard user.
5. Reset the password on your admin account on the machine, again make this different to the BIOS and Bitlocker passwords.
If you do all 5 of them that should stop it. Disabling the boot options in BIOS stops things like linux CD's etc being able to boot. Password protecting the BIOS then stops those settings from being changed. Bitlockering the drive stops it from being read or files being changed should the prior two methods fail for any reason (but short of guessing that password I dont see how they could) or if the drive is removed and put in something else. Dropping the kids account to a standard user account means they cant disable bitlocker, and then cant reverse engineer any of the other bits. It should also make it considerably harder to install any kind of tools that cold find the passwors mentioned, or circumevent any of the other protections.
With all of these in place there's really no way they should be able to bypass anything. Though keep in mind the instant you give them admin rights, its game over. At that point passswords et are irrelevant as they can simply use their admin to install all mannaer of tools designed to cirumvent this. It only works if you do everything together. If you take admin away, but dont secure the bios and bitlocker the drive, they can simply boot a live CD to do things in that that you cant do without admin etc. It only works if you do everything together.