Hi Jon -
It depends on your access switches (and also how "aggressive" your management want you to be 
) but a combination of BPDUguard and mac address limiting can be very effecting at dealing with this issue. As an example, the following config on a Cisco Catalyst switch will turn on BDPU guard on those switches that are set to portfast (as your access ports should be), and limit the maximum number of mac addresses on fa0/1 to 2 in total (can be any mac addresses, just no more than two at once):
Conf t
spanning-tree portfast bpduguard default
interface FastEthernet 0/1
switchport port-security
switchport port-security maximum 2
The system will then log violations of these values (after error-disabling the port) which you should be able to search for, forward, alert on etc. If you want to get really clever, the following will automatically try and reset the port every 5 mins after the switch sees a violation (so if a user unplugs the hub/switch/router and just puts a PC back in 5 mins later they will work fine):
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 300
Sure if you aren't a Cisco house your chosen switch manufacturer will have similar settings.
Regards,
John
