As Warren has mentioned, SAP generic IDs should be locked and not used, especially SAP*; this account should never be really used after implementation. There are some cases where you would need to use DDIC but that should follow your firefighter process.

Also, for non-dialog users should also follow least privileges principles; giving them every single role/profile in SAP is not required and most importantly not needed.

In terms of responding to your audit requirement,

1. You need to clean up your user/role assignment that is and should be your first task.

2. Once you clean up your roles & profile assignment, if you want to monitor specific elevated accounts, then you can use multiple sources to evaluate the user activities beyond just execution of a program or a tcode (i.e. by looking at the STAD data). Each of these logs will serve a different purpose, including looking at AUT10 tcode (table logs & change docs document), STAD logs for transaction/programs history, Security Audit Logs (SM20) for transaction & client maintenance activities and System logs (SM21) for system activities (e.g. debug).

At the end of the day, the "remediation" is not to put in place a monitoring activity, because monitoring activity should not reduce the risk to the acceptable level. Your options is to remediate by fixing your roles/profile assignment and then mitigating the residual risk by putting monitoring activities for what matters.

PS: Yes SM20 can be enabled for targeted users. You configure that though SM19. There are tons of notes and SAP articles that shows you how to configure SAP Security Audit Logs (SAL - SM20) reports.