Geoff Carman
There are several issues here:
There are commercial tools that audit rights throughout the tree, but for a simple approach, you can check the Admin user object for "Security Equal to Me" rights. (You can see this in ConsoleOne, as the second item on the Group Membership tab). You can also see this in DSBrowse, as it is stored in an actual attribute - Equivalent To Me. So whatever tool you like to use, Dsbrowse, LDAP browsers, ConsoleOne, etc., you can see the DN of who is equal to Admin.
"Admin" gets the rights to administer the tree as an ACL of "S" (Supervisor) rights to the [Root] object in the tree. So check out the explicit trustees of [Root] (which looks like the name of the tree in ConsoleOne) and see who has explicit rights. The actual Attribute is
called ACL and will have multiple values, that look something like this:
2#subtree#cn=bob,o=acme#[All Attributes Rights]
6#entry#cn=bob,o=acme#loginScript
Personally, I like to create a second account somewhere in the tree with explicit rights to [Root] so that is Admin ever gets accidentally deleted, it is easy to fix. On the other hand, an account that is "Security Equal To the Admin" would lose all rights if the Admin were accidentally deleted.
This works best in a small, simple management model tree. If you have set up distributed administration and have OU's that have local Admins, you just need to repeat all this for each boundary of rights.
The nice news is that these attributes are all exposed via LDAP, so if you like, you could use LDAP to get them, making it a cross-platform tool.
There are plenty of additional places to look, but this should give you an idea of where to start the process. Or, it may convince you that it is worth buying a product that does all the hard work for you.
Support
Documentation
Learning Services
Partner Programs