Hi,
This depends on our authentication method are you using local or LDAP/AD logins? Either way I think you'd need to use a subsearch that first looks for the user logins and then determines if they are part of the admin group "like" this:
source=<login events> user=* [source=<table or log that determines admin group membership> | fields user] | stats count by user