Hi Bojan,
The security risk attached to GPP or a PowerShell script in a GPO is pretty much identical because the password is stored (even if obfuscated) in an easily accessible location. I think you'll need to look into 3rd party solutions which manage local Administrator password remotely and let you retrieve the password when required or build a DIY solution with your own database.
A DIY solution could be something like below:
1. Get a list of all PCs
2. Generate new passwords for each PCs in a secured database
3. Connect to each PC remotely and change the password of the local Administrator
4. Create a web portal for authorised users to retrieve the password and log the retrieval
P.S. Where I'm working we don't create a separate Administrator users but we've deployed a 3rd party solution to manage the local Administrator password automatically.
Best,
Daniel