Windows Server 2003/2008 R2 AD Group Adds at Random to Builtin\Administrators

We're having a strange problem that we can't fathom out. We have inherited a 2003 FFL/DFL domain that has a mix of 2008 R2 and 2003 DC's. The Workstation Admins group was in Builtin\Administrators, not great I know. We removed said group from the elevated permissions only to find it had returned the next day.

Checking the permissions on the group Builtin\Aministrators only Domain Admins can affect it, as it should be. We used the repadmin to track down when the change happened:

repadmin /showobjmeta DC01 "CN=Administrators,CN=Builtin,DC=Domain,DC=co,DC=uk"

This showed us where and when the change occurred:

PRESENT       member 2012-11-27 10:32:23             Site1\Site1-DC01 2773346 3067148  13

    CN=Workstation Admin,OU=Management Services,OU=HO,OU=Offices,DC=Domain,DC=co,DC=uk

On looking at the security logs on the Site1-DC01 we found:

Event Type: Success Audit
Event Source:   Security
Event Category: Account Management 
Event ID:   636
Date:       27/11/2012
Time:       10:32:23
User:       NT AUTHORITY\SYSTEM
Computer:   STD-DC01
Description:
Security Enabled Local Group Member Added:
    Member Name:    -
    Member ID:  CENTRAL\Workstation Admin
    Target Account Name:    Administrators
    Target Domain:  Builtin
    Target Account ID:  BUILTIN\Administrators
    Caller User Name:   STD-DC01$
    Caller Domain:  CENTRAL
    Caller Logon ID:    (0x0,0x3E7)
    Privileges: -

So, we assumed Group Policy was to blame. On going through all GPO's there is use of User Rights Assignment, Restricted Group Access or Local Users and Groups Assignment. We have also gone through all login scripts and nothing is set there either.

On checking the ADDS logs we can see that replication is working as it should.

It's also worth mentioning that Site1-DC01 holds no FSMO roles nor is it a GC.

We are stumped as to how it gets re-added. Can anyone point out what we're missing?