make sure your are collecting data on the event: 1127: OAS Scanning Engine Disabled (Info) within event filtering
stick this in a report
bear in mind machines will have to collect the agent policies before they pull down changes to the event filtering.
If the user has the ability to disable the service they can do pretty much what they want already surely ?
One way to make it more difficult perhaps is through a combination of using access protection ( the 'prevent users from stopping McAfee services' option) and then locking down the VirusScan console by password policy so AP cannot be modified by the user unless they know the password - which of course you do not share.