As an admin, I can retrieve the API token of all users with:

user = hudson.model.User.get('userId')
prop = user.getProperty(jenkins.security.ApiTokenProperty.class)
println(prop.getApiTokenInsecure())

and then I can launch a command on their behalf (even on other admin behalf).

That should not be possible.

A malicious administrator can do whatever he wants; that is not acceptable at an organization level.