Hi... I'm a user but...
In relation with the administrator account, yes, It has to have administrative rights and these are granted to him through "sudo".
Webadmin uses https protocol, so, the traffic couldn't be easily deciphered for session hijacking purposes.
In addition, If I need manage my domains from the Internet with webadmin I do it through a VPN (actually my webadmins are only accessible from the internal interfaces). Considere to use fail2ban too.
A competent sysadmin can configure a Zentyal system in order to keep secured against the most usual authomatized attacks, but, personally, I don't believe myself so good as sysadmin to fight against a true motivated hacker, but this is true for Zentyal and any other system. If you need the higher security degrees, the key point is the sysadmin, not the system itself.
Cheers!