well unless he clears his cookies and history, the url will be stored on his computer. If anyone has access to his computer, they can access the page.
Do you have site stats that keep track of the most visited pages? If anyone taps into your site stats and they see the page adminlogin.php, they'll now know how to access this page.
How could the user get the admin username and password? on't write it down anywhere. As long as he doesn't put it on a post-it on his desk, you should be fine.
If you're really serious about this, store his password encrypted in a database (which is how you should do it anyways). That way, even if someone does get access to the records in your database, the password is encrypted and they can't unencrypt it. Then again, if they get access to a tool like phpmyadmin, they could just add another record and set the admin flag to yes (depending on how your database is set up).
There's flaws and bugs to everything. Having a seperate file for the admin to login may help a little, that way if someone tries to login with the admin password from the regular login page, it won't work. (you have to code it to do this).
Aside from that, you could backup the database daily, weekly, or biweekly; depending on the volume of new users it gets. That way if someone were to delete all the users, you'd atleast have a backup.
Hope this helps.
Cgraz
