Colour me paranoid; at least based on my web searches OS X users do not seem to suffer from the same aversion to always running under the Administrator account. The first thing I did when I realised that this was in fact the case was to create myself a new Standard account and then assign a better password to the Administrator account that was so helpfully created for me.

OS X does a good job facilitating running as Standard to a point: any time I need admin privileges, I am asked to authenticate as any of the local Administrator users which works pretty well in the GUI. However, I cannot sudo at the terminal as a Standard user so I needed to fix that. By default, the root account is disabled which is frankly a rather silly precaution since any Administrator can use sudo anyway (at least it was not made NOPASSWD.) Here are the steps:

1. Enable root
   1. Run Directory Utility in /Applications/Utilities/ (or through Finder)
   2. Click the lock and authenticate if necessary
   3. Menu, Edit > Enable Root User
   4. Menu, Edit > Change Root Password (make this something long and different from your Administrator password)
   5. Click the lock to relinquish privileges
2. Configure sudo
   1. Open up a terminal session
   2. Switch to your Administrator account: login <admin unix name>
   3. To edit the sudoers configuration file, use visudo (despite the name, it does respect EDITOR): sudo visudo. You will already have a default file in place with commented sections.
   4. Look for the Defaults section and add yourself a few options by inserting a line like this (substitute ‘joe’ with your username): Defaults:joe runaspw, passwd_tries=3, timestamp_timeout=3. The first part specifies that the default only applies to that user (there are group etc. versions too), runaspw means whoever invokes sudo must enter the password for the user account being accessed (you could make this rootpw instead if you prefer) and the rest means that 3 invalid attempts terminate the sudo attempt and that any successful sudo@ authentication persists for 3 minutes without having to re-enter the password. Use the latter ones with normal caution and not at all on publically accessible machines.
   5. Under User Privileges (you already see root and %admin there), add a line for yourself: joe ALL=(ALL) ALL. The syntax may look a bit cryptic but the first ALL designates machine IPs this applies to, the (ALL) specifies the user the command can be run as (given with the -u@ flag or guessed) and the last ALL is the set of commands that the user can run with this particular privilege setting. If you are adding programs explicitly instead of giving the ALL privilege, make sure to use full paths to avoid using a fake location.
   6. Look at man sudoers for further details.
   7. Save and quit
3. Disable root login
   1. login <admin unix name> if you closed the session
   2. su
   3. chpass (Leopard correctly updates DirectoryService with chpass)
   4. Caution: double-check the paths before entering
      1. Change Home Directory to /var/empty
      2. Change Shell to /sbin/nologin
      3. Save and quit
   5. ^D
   6. In your sshd_config, PermitRootLogin no. Also consider just using key-based authentication
4. ^D
5. Test it: sudo echo 'hi'

If you ever should need to enable root logins, you can still do sudo chpass.

That should be all! Now you do not need to separately su or rely on the sudo capabilities of your Administrator user.