The HTTP API is currently in revision, but I’m sorry I can’t give you an exact feature scope or date yet.
To your points:
The Bridge can’t show users of last actions atm due to it not having Admin rights.
This means this would need a complete rebuild of the logic. - We already had a similar request which ended in this feature request:
Invalid code attempts are listed in the activity log - to which the bridge has no access for the same reasons as stated above.
The Bridge does not directly communicate with the Keypad, so all admin action has do be done via the Smart Lock - and I think you already know the restrictions for that. 
To sum it up: All admin actions can only be done via Web API (which can be granted those rights) atm.
The main reason for that being that the HTTP API was planned for easy local communication with smart home control centers or similar; with the minimal access rights needed for that task.