The only workable solution I can see is to make it
less likely that
stalkers will want to target particular admins. One way to do that
would be to set up anonymous admin accounts that multiple admins could
use. So for example, if a difficult user needs to be blocked, any
admin could access the joint admin account to make the block. The user
would only see that User:Admin1 had blocked him. Only trusted people
would have access to which admin had made a block with User:Admin1 at
time T.
I know it would complicate things, and it might make admin abuse a
little more likely. And we'd still have the problem of potential
leaks, so it wouldn't be foolproof by any means.
I would go with an ArbCom role account that can enforce decisions made
by ArbCom on their private mailing list. That way there are not any
individuals with the power to make untraceable blocks. ArbCom are the
most trusted members of the community (they may not have universal
support, but they are still trusted with checkuser and oversight), so
it makes sense that they be the ones to do this.