Sounds like the problem is the IT employee's lack of skill at playing cards.
But seriously, review the FFIEC weblink previously provided and go to the Information Security booklet (you will find "concrete" guidelines). There are several problems with the scenario you provided. First of all, no one should have the unilateral authority to create a user account on the core system (especially without the Information Security Officer's knowledge). All core system users and their access permissions should be supported by a "system access" form (or something similar) that checks-off each user's authorized access permissions --- which in your bank's case --- should be periodically reviewed and approved by a management-level committee (such as an IT Committee). Also, why does the head bookkeeper have full access permissions to the core system? With this scenario, it appears that the head bookkeeper has the "opportunity" to perpetrate fraud and conceal it as well. You may be relying on "after-the-fact" controls such as maintenance log reviews, etc. to keep everybody honest --- but why rely on those back-end controls when you can take care of things on the front-end (ie, reduce the head bookkeeper's access permissions accordingly). And lastly, if I understand you correctly, it appears that an "audit logging" feature has been disabled? ("daily reports for user listings") This appears to be a significant problem as well; why would someone want to disable a security logging feature unless he/she wants to hide something. Collectively, given your scenario, this does not pass the smell test.