If the user is silly enough to hand over their admin password to any program that asks for it, I can write a program that asks for it. Then, I take that password they provided, upload it to my server, upload the user's keychain, decrypt the user's keychain with the password they have so graciously given me, grab their online banking/paypal login information, then book my cruise and order that MacBook Air I could never afford.
This has nothing to do with Access Control or Keychain Access. I write my own dialog and ask for the password. Given the success of MacDefender, I think I would collect quite a few of them.
The moral of the story? Don't hand over your password!