Users connected via VPN should have connectivity to a Domain Controller (possibly read-only) to confirm account authentication. This sounds like the center of your particular problem. If the Windows computer cannot see Active Directory, it will not be able to confirm any domain-based changes, including your administrators attempting to make the user an administrator. Work with your VPN provider to ensure the appropriate firewall rules are set up for domain-based authentication.
With the user connected to the VPN, the system administrator should have a remote access tool to be able to share the screen and view any UAC control windows that pop up. Dameware and the built-in Remote Assistance tool work well. WebEx does not as it 'blacks out' the remote session when the UAC prompt pops up.
Using the remote access tool, the system administrator can right-click an installer file and select "run as administrator" or "run as another user" and use the administrator credentials to run the installer. As the user is connected to the VPN, the computer will be able to authenticate to the Active Directory Domain Controller and grant the admin access to run the installer. This also "caches" the credentials for future use as if the administrator ahead logged in locally, and the user does not see or know the administrator password at any point.
If it is an MSI file, or requires the command line, right-click the Command Prompt icon in the start menu the same way as above, and after authenticating use MSIEXEC to install the MSI.
LAPS, as mentioned by Slipeer, will be something to set up at a later date, as it does not solve the immediate problem. It solves the problem where a user has no network or VPN connectivity by allowing your Active Directory to manage individual local admin accounts, but if the remote user cannot connect to the domain over VPN right now, it can't be pushed t the system.
If you cannot use a remote access tool to get past the UAC, you can use compmgmt.msc on a local machine, connect to the user's machine, create a temporary local admin account and use it as above, then disable it before the user disconnects from the VPN. Again, this can only be done if you have connectivity to an Active Directory Domain Controller.