In order to comply with PCI audits, all user command activities on the server must be logged and kept for six months. To log user command activities on our Linux servers, we use the trap command. We are now trying to achieve the same in FreeBSD. Every user in FreeBSD has a local account and is trusted.
Ah finally, the OP tells us what their real goal is: They are in the financial industry, the system being discussed here processes card payments (for example credit cards), and they are preparing for an audit under PCI rules.
This immediately means that a lot of the chatter about "rights" and "laws" becomes completely irrelevant. The only users of this system (in the sense of login user = UID) are likely employees and contractors working on the payment system. I very much doubt that this is a general use system (where people log in, read their mail, compile arbitrary code), but it is likely dedicated to processing payments.
But it also means that advice from random strangers on the internet is not what the OP needs. They need to read and understand the PCI rules. On the web, you can find guides for how to configure Linux systems for PCI compliance; the OP can probably go through those and take the exact equivalent steps on FreeBSD. I've gone through computer security audits, and they probably need to talk to the auditor (which is actually either an audit government agency or company) about what plans and documents are required.
On the specific question: The answer ultimately has to come from reading the PCI DSS standard, but it seems plausible that enabling either process accounting (which logs all external, but not builtin commands) or file operation accounting (which logs the effect of all commands on files) will satisfy the requirements. A quick look at a compliance guide (search for IBM Payment Card Industry DSS compliance) does not say anything about shell command logging.
And finally, the sh and bash shells (on both Linux and FreeBSD) have a trap command, but it is not for logging of all commands, but for handling signals. If the claims that they use it for that purpose in the PCI compliance framework on Linux, then I'm very confused.