I don't think current versions of ASM allow you to restrict access by client IP, subnet or GeoIP region, etc. I'm pretty sure there is at least one request for enhancement related to this type of functionality. You could open a case with F5 Support and have your request added to the existing RFE(s).
In the meantime, you could try a few approaches:
Create an address type datagroup containing the allowed subnets/hosts and use an iRule to check for requests to /admin that aren't from an allowed IP. Rewrite the URI to something that will always get blocked in the ASM policy like /illegal_client_request_to_admin.exe (assuming you don't have .exe or wildcard filetypes allowed in your policy).
Use a separate VS which goes to a separate ASM policy that allows /admin URI access (or no policy if you trust the app administrators). Restrict access to the VS using an iRule and the same address type datagroup as you would for option one. Then block all access to /admin on your main ASM policy using an attack signature.
Aaron