Now the misconfiguration of our test server was a big mistake but not having logs as a way to audit the specific actions that were performed is a big mistake on the part of Jenkins core which can amplify a user's mistake.
While it would be a useful improvement to log script console messages, this would not fix a lot in your situation: Script console access allows an attacker to (mostly) trivially wipe all traces of their attack: It's not just "run any program", but, as it runs inside the Jenkins process, can just wipe all logging related to these actions (including making private fields accessible etc. to achieve this).
Unless there's an external append-only log of sorts configured, no improvements here are likely to substantially improve the situation. And once you need an admin to take action to protect themselves, it's easier to secure Jenkins properly.