Consider the following:
SQL server and agent services run under the local system account
A user has db_owner of all databases other than system
User has local admin rights on the box
SQL builtin\administrator has been removed
User also has SQLAgentReaderRole rights
User does not have 'sa' password
Can the user in any way initiate a job that runs as 'sa'? Also, can the user create a job that runs against the master or msdb databases?