If you had another drive device, to make a complete backup of the files as they are (or were?) on the computer, then the TimeMachine backup copy would not be as important in the way you are thinking.
Because if you had another backup of the content of the computer, you could compare the two, and also have proof of tampering -- or at least enough to know it yourself; an employee could always say they accidentially clicked this or that, and blame technology to cover for spiteful act.
A write-only backup would be good in a few occasions where that would not be erased or tampered with; except it would not allow for file or error correction. But a second backup not directly accessible to the employee could be protected with a password or other means.
Also, if you were too concerned, I'd think you'd have not given the employee a break; however that matter should be separate from the data protection idea. A policy and plan should be in place to make two or three backups and these should have an inherant redundency, with at least one specifically with security in mind.
If your computer workstations were using a more central archive and main shared networked computer to save/retrieve from, you could also consider installing a keystroke logging software. That won't stop someone from accessing files with a smart phone or other device that can send images of documents offsite.
There may be a way to use a RAID setup to make more than one copy then work out the means to protect the second drive from tampering.
Hopefully you won't need it.
Good luck & happy computing! 🙂