Interesting, thanks for letting the q2a-community know.
If I understood the issue right, you could protect the admin account by disabling "forgot password" for admins in qa-page-forgot.php. Not by checking the email but by checking against the unique userid (which cannot be changed).
E.g. something like this after line 70:
if($inuserid==1) { return; }
I am no sec.expert at all, but this would be my first clue :)