You don't need to use Tcl for this provided you have EEM 3.0 or higher (which these days is pretty much a given).
Your overall logic is pretty sound. You'll use a timer (you can use cron or watchdog for this). Run the show command to get the ACL hits. Parse the results with regexp to pull out the hit count. But then this is where things may need to be adjusted. You likely don't want a trap every time this runs when the hit count is non-zero. Meaning if you get one deny hit, then every time the policy runs you'll get a trap. You likely only want traps when the hit count increases.
In that case, you'll need to save the current hit count to a context with context-save. Then before you get the new hit count, add a call to context-retrieve to pull out the saved value. If the new value is greater than (gt) the old value, then send a trap.