Thanks for testing. I agree that you won't get notice when someone logs in with stolen credentials. The person still has to be logging in from the same IP though, since it's a by pass based on IP.
Another option could be to make a checkbox next to the whitelist rule that says: Also include administrator login messages.
Michael