I think you can make a nice zero-knowledge interactive protocol to prove knowledge of an RSA secret key. First, the prover and the verifier jointly agree on a random number m between 1 and n-1. [0] Then the verifier signs that number, and tells the prover the signature. (The signature is d^m mod n.) The verifier verifies the signature, which, critically, is exactly the same as verifying that the signature encrypts to m.

Why is this zero-knowledge? Because the verifier could invent an entire transcript of the protocol without the prover’s help: choose a random signature and encrypt it to generate the “random message”. So the ability to work with the prover to generate random pairs of (message, signature) accomplishes nothing at all except to convince the verifier that the prover knows the secret key.

This, by the way, is one of many footguns involved in using raw RSA: you cannot assume that a private key was used properly just because someone presents the signature of some message. Better signature schemes built on top of RSA avoid this problem.

[0] This is fairly straightforward using cryptographic hashes. The verifier could instead choose freely, but then the protocol isn’t zero-knowledge.