IMO the kind of authentication logging we are doing [historic link] is expected from any decent application by default and should live in core. (Also, for obvious reasons the config files are a poor place for business logic.) The only reason this is not trivial to do is the wfGetPrivilegedGroups method which is used to enrich the logs and is somewhat WMF-specific. We should probably move it (and the whole logging) to core.
We could have a static User::getPrivilegedGroups() method, a $wgPrivilegedGroups config settings which defaults to admin/bureaucrat/interface-admin and a GetPrivilegedGroups hook for CentralAuth and similar extensions to tie into.