This is adhoc code that you can run to get a list of all sa users in your entire shop. It expands the AD groups and sub-groups to give you a final list of users who have sa and it then adds in the SQL and Windows users.
Finally, it has 2 queries: 1. Shows a count of sa users per box in your shop. 2. Show you a list of everyone who has sa on each server and whether they're getting it via SQL, Windows, or AD Group.
Depending on how big your environment is it may take this code a few minutes to run. And you can do anything else you want with this data. You're free to turn it into an alert or a report if you like, though you may want to stage the data for a report.
Also, remember that the AD data by default is only collected once/week so if you've got a fast-changing environment, you may want to run the AD collection and the login collection right before running this so you have the latest data. Most of the time that shouldn't be necessary though.
No installation required. Simply run the code.