I would like to ensure that Google Cloud Platform service accounts do not have Admin privileges.
Furthermore, I would like to prevent users from creating service accounts with admin privileges, or adding admin rights to existing service accounts.
Do you know of a method to ensure this via Policies?
You can use granular permission depending on what users needs to do.
It is possible to limit the resources and even using those granular permissions you can create a custom role based of compute admin, and just removing all the permissions that follow the syntax "..setIamPolicy". i.e.
compute.instances.setIamPolicy
compute.licenses.setIamPolicy
compute.machineImages.setIamPolicy
compute.licenseCodes.setIamPolicy
This can limit the users to set IAM bindings, but It is limited in general, for users, not just service accounts. Use for only SA's it's not possible.
I recommend you to follow up, the IAM best practices, so you can better manage your security, if needed, you can create feature request, to support IAM conditions role bindings.