I'm assuming the sysadmin cannot/would not edit the source?
If that's the case, a solution like IonCube might do the trick. Just make sure PDO connection errors aren't displayed/logged, since they may contain connection info.
You can also try restricting the sql user's access to the server's IP, but it still may be possible to connect directly from the server itself.
If the sysadmin can't access the db, who's managing the db server?
