You would recommend using of both a security group (e.g. Junior Admins), assign those personnel in this membership, and then create a group policy with those permissions. Then assign this group policy to this security group. As per the auditing, You can use the built-in auditing within windows with some modifications. Or you can use a product like Active Administrator.
Within ESX, you cause modify the authentication mechanism to utilize Active Directory. Here’s the pdf link to enable that: http://www.vmware.com/vmtn/resources/582
Lotus Domino & Notes (not familiar with) should be able to utilize AD which can then be audited by Active Administrator.